What is a wordlist attack?

A wordlist attack tests every entry in one or more password dictionaries against a hash. It is effective against passwords that follow common real-world patterns. OnlineHashCrack provides access to Probable-Wordlists, Weakpass, a private collection, and support for custom user-uploaded wordlists.

What is a bruteforce attack?

A bruteforce attack tests every possible combination within a defined keyspace, determined by charset (lowercase, uppercase, digits, symbols) and password length. The number of candidates is charset_size ^ length. The duration estimate is shown before payment.

What are rulesets in password cracking?

Rulesets transform each wordlist entry into multiple new candidates by applying substitutions, case changes, prefixes, and suffixes on-the-fly. For example, 'password' becomes 'P@ssw0rd', 'password2024!', etc. Adding a ruleset to a wordlist attack significantly increases coverage at a fraction of the cost of a full bruteforce.

How much do custom GPU attacks cost?

Custom wordlist and bruteforce attacks cost $9 per hour of GPU time. The estimated duration and total cost are shown before you confirm payment. Fees are non-refundable once GPU resources have been consumed.

Can I use my own wordlist?

Yes. You can upload a custom wordlist to your OnlineHashCrack account and use it as the source for a wordlist attack against your hashes.

Wordlist & Bruteforce Attacks | OnlineHashCrack GPU Password Recovery

Tests every entry in one or more password dictionaries against your hash. Effective against passwords that follow common patterns or real-world choices — the majority of weak credentials in the wild.

Available wordlists

Probable-Wordlists — sorted by real-world probability
Weakpass — large curated public collection
Our private collection — compiled from real-world breach data
Your own custom wordlist — upload it to your account and use it directly

Tests every possible combination within a defined keyspace. The two parameters that control it are charset and length — together they determine the number of candidates and the estimated duration.

Parameters

Charset — lowercase (a–z), uppercase (A–Z), digits (0–9), symbols, or any combination
Length — minimum and maximum password length to test
Keyspace — charset size ^ length — shown before you confirm
Duration estimate — based on keyspace and algorithm hashrate — shown before payment

Open the Bruteforce Configurator →

A ruleset transforms each wordlist entry into dozens or hundreds of new candidates by applying substitutions, prefixes, suffixes, case changes, and more. It dramatically expands coverage without the cost of a full bruteforce run.

Examples: password → P@ssw0rd, password2024!, PASSWORD.
Rules are applied on-the-fly during the attack — no extra storage needed.

Read the hashcat rule reference →

$9 / hr Billed by actual GPU time consumed

Price shown upfront Duration estimate displayed before payment

Email notification Result (found or not found) sent automatically

Non-refundable Once GPU resources are consumed — see pricing

Password recovery workflow — submit, process, notify, unlock