HashSmith: A Declarative Engine for Complex Password Cracking

date
Aug 28, 2025
photos
type
Post
pin
1
slug
hashsmith
language
lang-eng
status
Published
tags
lang-eng
Ethical
summary
HashSmith offers a declarative engine for password engineering. It allows you to compose complex password candidates by combining patterns, providing a powerful alternative to imperative rule-based systems.
Most password cracking tools work by mutating wordlists—taking a base word and applying transformations. While powerful, this approach struggles when passwords are not just modified words, but structures built from independent parts.
HashSmith is my latest experiment in password engineering—a tool that reimagines how password candidates are generated.
GitHub - BaksiLi/hashsmith: A password pattern engine and hashcat orchestrator in Python.
A password pattern engine and hashcat orchestrator in Python. - BaksiLi/hashsmith
GitHub - BaksiLi/hashsmith: A password pattern engine and hashcat orchestrator in Python.
https://github.com/BaksiLi/hashsmith
GitHub - BaksiLi/hashsmith: A password pattern engine and hashcat orchestrator in Python.
It combines the composability of functional programming with the practical needs of security assessments.
In short, with HashSmith, you describe what your password pattern is, not how to build it step-by-step. This declarative approach lets you model complex password policies with clean, maintainable code.

🧪 A Quick Taste: Your Childhood Password

Many of us once used a simple password pattern like this: a keyword, a significant date, and a special character suffix. This classical password structure is perfect for educational purpose.
With HashSmith, you start by defining small building blocks (where P stands for Pattern), as shown below:
The most fundamental two operators are:
  • & (AND): Concatenates patterns sequentially. It creates a Cartesian product of all elements.
    • E.g. P(['a', 'b']) & P(['c'])['ac', 'bc'] .
  • | (OR): Creates a choice between patterns, forming a union.
    • E.g. P(['a']) | P(['b']) P([’a’, ‘b’])['a', 'b'] .
This simple script produces exactly what you’d expect:
And you should not expect your REAL password in there. Unless, of course, you’re Haskel born in 1958 with a remarkably predictable password strategy!

🧱 Case Study: A Real-World Struggle

Hashcat is phenomenal for mutating single words or combining two wordlists. However, modern password policies are rarely that simple. The moment a structure involves more than two independent parts or requires conditional transformations, the traditional command-line approach begins to break down.
Let’s analyze a realistically complex password pattern:
A password is composed of: (Part A: User Identity) + (Part B: Context) + (Part C: Suffix)
  • Part A can be a Capitalized FirstName OR a FirstName-LastName combo. This entire part may also be transformed with l33t-speak.
  • Part B can be a ProjectCode OR a calendar-aware date (e.g., YYYYMMDD).
  • Part C is an optional special character.
  • The final password must be between 10 and 20 characters.
This structure is a nightmare for standard tools because it requires combining, transforming, and choosing between multiple, unrelated data sources while enforcing length constraints.

🤔 Traditional Way: A Fragile, Multi-Step Nightmare

Using only standard command-line tools and hashcat, you're forced into a brittle, multi-phase process that creates a mess of temporary files.

Step 1: Generate the 'User Identity' Component

First, we have to manually construct all the name variations.
We've already run five commands and created four temporary files just to build the first part of the password.

Step 2: Generate the 'Context' Component

Now we build the middle part. Notice that generating calendar-aware dates is nearly impossible with shell tools, so we might need to ‘borrow’ from another script.

Step 3: Combination & Filtering

Finally, we combine, add the optional suffix, and filter by length.
The result is a disaster: a dozen commands, multiple large intermediate files consuming disk space and I/O, and a workflow that's impossible to debug or modify easily.

✅ HashSmith Way: Clean, Composable, and Clear

HashSmith turns that entire nightmare into a single, readable script. The code is a direct, logical representation of the password policy.
That's it. The entire complex logic is expressed in a few clear, composable lines. HashSmith handles the Cartesian products, unions, on-the-fly transformations, and intelligent date generation internally, streaming the results with minimal memory and zero intermediate files.

Conclusion

HashSmith doesn't aim to replace hashcat; it aims to be its perfect companion. By shifting the focus from imperative mutation to declarative composition, it provides a powerful and elegant solution for modeling today's complex, structured passwords.
It excels where password candidates are not just modified words, but structured concatenations of distinct elements. If this approach sounds useful for your workflow, check out the project
hashsmith
BaksiLiUpdated Aug 28, 2025
 (give it a star)! 🚀

© Baksi Li 2023 - 2025