How to Create and Use Wordlists for Password Testing

Before we start, this tutorial is strictly for educational and authorized security testing purposes only. Do not attempt these techniques on systems or files you do not own or have permission to test.

When people hear about password cracking, they often imagine someone sitting behind a screen randomly guessing passwords until something works. In reality, that’s not how it usually happens. Most attacks rely on something far more simple and far more effective: wordlists.

A wordlist is just a text file containing possible passwords, one per line. Tools don’t “think” — they simply try each word in the list until one works or the list runs out. What makes wordlists powerful isn’t the tool, but the fact that humans tend to reuse the same kinds of passwords over and over again.

If you think about it, most people don’t sit down and invent a truly random password. They use names, numbers, simple patterns, or things that are easy to remember. Wordlists are built around that reality. 

Kali Linux already comes with several wordlists, so we don’t need to create one immediately. Let’s first look at what’s already available.

Open a terminal and navigate to the wordlists directory:

$ cd /usr/share/wordlists
$ ls

Inside this directory, you’ll notice a file called rockyou.txt.gz. This is one of the most commonly used wordlists in cybersecurity. It was built from real passwords leaked in a past data breach, which means every entry in it is something a real person once used as a password.

On my system, this file is already unzipped. If yours is still compressed, you can unzip it using:

$ sudo gunzip rockyou.txt.gz

Once that’s done, you’ll have rockyou.txt. If you take a quick look inside it, you’ll immediately see why wordlists work so well:

$ head rockyou.txt

Most of the passwords are short, simple, and familiar. That’s not a coincidence — it’s human behavior.

If we have a password-protected file, a wordlist allows a testing tool to try real, human-chosen passwords instead of guessing blindly. The tool simply works through the list, one entry at a time.

If the correct password appears in the list, it will eventually be found. If it doesn’t, the attempt fails — which is exactly what should happen when stronger passwords are used.

This naturally leads to an important question:
what happens when the password isn’t in a common wordlist like rockyou?

That’s where custom wordlists come in.

Sometimes, during an investigation or authorized test, you might have small clues about how a password looks. Maybe you know the length. Maybe you know it contains only numbers. Maybe you noticed a pattern when the password was entered. Instead of relying on massive wordlists, it makes more sense to generate only the combinations that matter. It’s not uncommon to come across password policies during pentests.

This is where a tool called Crunch becomes useful.

Crunch allows you to create wordlists based on specific rules — length, characters, and even patterns. Kali Linux already includes it, so there’s nothing extra to install. If you type crunch into your terminal and see usage information, it’s ready to use.

Let’s start with something simple.

Imagine you believe a password is four digits long. Instead of testing millions of unrelated passwords, you can generate only four-digit numbers and save them in a text file:

$ crunch 4 4 0123456789 -o numbers.txt

Crunch will create a file containing every possible four-digit combination. You can quickly confirm this by viewing the file:

$ head numbers.txt

At this point, you now have a fully usable wordlist. It can be fed into any password-testing tool that accepts wordlists, which we’ll look at in a later tutorial. For now, the important part is understanding how easily predictable passwords can be generated once length and character type are known.

As passwords get longer or more complex, Crunch can still help — but the number of combinations grows very quickly. This is why length matters so much when it comes to password security.

Crunch also allows you to work with patterns. For example, if you know a password starts with a capital letter and ends with a number, you can tell Crunch to generate only passwords that match that structure using the -t flag.:

$ crunch 6 6 -t ,@@@@%

By doing this, you’re no longer guessing everything. You’re narrowing the possibilities down to what actually makes sense based on what you know. 

Also, crunch comes with a lot of options to help create diverse wordlists. To see the options available with the tool, use:

$ man crunch

When you look at both approaches — using existing wordlists and creating your own — the idea behind them is the same. The tools themselves aren’t smart. They don’t understand context or people. They just work through the guesses we give them.

What makes these attacks effective is how predictable humans tend to be. Short passwords, familiar patterns, and reused combinations all make the job easier.

Strong passwords don’t win because they’re clever or complicated. They win because they’re long, unique, and hard to anticipate. Once predictability is removed, tools like these quickly become impractical.

That’s the real takeaway behind wordlists. 

To learn how to use wordlists to crack locked PDFs, check out this tutorial.