Detailed guide on Password Transmutations

What are password transmutations?

Password transmutations are also known as Password Mutations which refer to the process of transforming a password into a different form to make it harder for hackers to crack. This process involves taking the original password and running it through a mathematical algorithm to generate a new, more complex password.

There are several types of password transmutations, including hashing, salting, and key stretching. Hashing involves taking a password and running it through a one-way mathematical function that converts the password into a fixed-length string of characters. Salting involves adding random data to a password before hashing it, which makes it more difficult for attackers to use precomputed hash tables to crack passwords. Key stretching involves repeating the hashing process multiple times, making it even more difficult for attackers to crack the password.

Why password transmutations are important?

Password transmutations are essential for protecting user data from attackers. In today’s world, where cyber threats are prevalent, a strong password is no longer enough to secure an account. Attackers can use a variety of methods, such as brute force attacks and dictionary attacks, to crack weak passwords.

Password transmutations add an extra layer of security by making it more difficult for attackers to crack passwords. Even if an attacker manages to steal a hashed password from a database, they will not be able to reverse engineer it to recover the original password without a significant amount of time and computing resources.

Moreover, password transmutations are especially important for organizations that handle sensitive data, such as financial institutions and healthcare providers. In these cases, password transmutations can help prevent data breaches that can lead to significant financial losses and reputational damage.

How Password transmutations can help in brute forcing passwords?

Well, let’s suppose we are performing a brute force attack on a website or system, so here the main key point is wordlists, If you have good wordlists then the chances will be higher to brute force and get account takeover on that particular website or system. In this scenario, for example, there’s a password which is HiTH#@132, so if someone already transmuted or salted it, then it can be something like for example 8ItHc3K(2 . So here the point is if we’ll transmute it from our end then might be there’s a possibility to get the actual password, but then it also depends on passwords to passwords.

Secure passwords using transmutations

You might be wondering how to secure the passwords using transmutations if we can do brute force?

So here the thing is if you’ll simultaneous transmutation multiple times then there might be a possibility that your passwords will get complex. And also for research purposes, you can test weaknesses in your system or website with the help of transmutations.


Now let’s see how we can transmute or mutate the passwords.

There is an open-source tool called Passmute which is developed by our team

About PassMute:

This is a command-line tool written in Python that applies one or more transmutation rules to a given password or a list of passwords read from one or more files. The tool can be used to generate transformed passwords for security testing or research purposes. Also, while you doing pen-testing or bug hunting it will be a very useful tool for you to brute force the passwords!!

Proof of Brute Forcing Passwords by using the transmuted passwords on PassMute

While I was performing a pentest on a website, I was using rockyou.txt for brute forcing. In that case, it was showing no valid passwords were found. But the interesting point is when I transmuted the passwords, I was easily able to crack the passwords. For the reference purpose you can check the password strength meter of the following password and it contains 10 characters which is k321#@0l4H can be checked out here: Password Strenght Meter


How Passmute can also help to secure our passwords more?

PassMute can help to generate strong and complex passwords by applying different transformation rules to the input password. However, password security also depends on other factors such as the length of the password, randomness, and avoiding common phrases or patterns.

The transformation rules include:

reverse: reverses the password string

uppercase: converts the password to uppercase letters

lowercase: converts the password to lowercase letters

swapcase: swaps the case of each letter in the password

capitalize: capitalizes the first letter of the password

leet: replaces some letters in the password with their leet equivalents

strip: removes all whitespace characters from the password

The tool can also write the transformed passwords to an output file and run the transformation process in parallel using multiple threads.


git clone https://HITH-Hackerinthehouse/PassMute.git
cd PassMute
chmod +x

Usage To use the tool, you need to have Python 3 installed on your system. Then, you can run the tool from the command line using the following options:

python [-h] [-f FILE [FILE ...]] -r RULES [RULES ...] [-v] [-p PASSWORD] [-o OUTPUT] [-t THREAD_TIMEOUT] [--max-threads MAX_THREADS]

Here’s a brief explanation of the available options:

-h or –help: shows the help message and exits

-f (FILE) [FILE …], –file (FILE) [FILE …]: one or more files to read passwords from

-r (RULES) [RULES …] or –rules (RULES) [RULES …]: one or more transformation rules to apply

-v or –verbose: prints verbose output for each password transformation

-p (PASSWORD) or –password (PASSWORD): transforms a single password

-o (OUTPUT) or –output (OUTPUT): output file to save the transformed passwords

-t (THREAD_TIMEOUT) or –thread-timeout (THREAD_TIMEOUT): timeout for threads to complete (in seconds)

–max-threads (MAX_THREADS): maximum number of threads to run simultaneously (default: 10)

NOTE: If you are getting any error regarding argparse module then simply install the module by following command: pip install argparse


Here are some example commands those read passwords from a file, applies two transformation rules, and saves the transformed passwords to an output file:

Single Password transmutationpython -p HITHHack3r -r leet reverse swapcase -v -t 50


Multiple Password transmutationpython -f testwordlists.txt -r leet reverse -v -t 100 -o testupdatelists.txt


Here Verbose and Thread are recommended to use in case you’re transmuting big files and also it depends upon your microprocessor as well, it’s not required every time to use threads and verbose mode.

Legal Disclaimer:

Hackerinthehouse, its author, any contributor of this project, and GitHub won’t be responsible for any actions made by you. This tool is made for security research and educational purposes only. It is the end user’s responsibility to obey all applicable local, state, and federal laws.