Advertisement

Responsive Advertisement

Recent in Technology

How many passwords will be in my wordlists

Understanding Wordlist Sizes in Password Cracking

Today, one of my students asked me a really interesting question. He had generated a wordlist for password cracking. When he created a wordlist with 8-character passwords, the file size was around 850MB. But when he generated a wordlist with 11-character passwords, the size jumped dramatically to about 1TB. He was surprised and asked if this could even be possible — or if he might have done something wrong in the process.

To answer this properly, we need to bring in a bit of math and logic.

The Math Behind Wordlist Sizes

There’s a simple formula we can use to calculate the total number of possible combinations for a given password length. That formula is:

Total Combinations = Nk

Where:

  • N is the number of possible characters.
  • k is the desired password length.

If you're including lowercase letters (a–z), uppercase letters (A–Z), digits (0–9), and special characters (from the ASCII set), you're working with a character pool of 94 characters. This includes:

  • 26 lowercase letters
  • 26 uppercase letters
  • 10 digits
  • 32 common special characters

So in this scenario, N = 94.

If you want to generate a wordlist with passwords that are exactly 11 characters long (k = 11), you plug that into the formula:

Total Words (Output) = 9411 = 452,592,555,601,246,976

Yes, that’s over 452 trillion trillion possible combinations! That’s the total number of passwords your wordlist would have if it covered every single possibility of 11-character passwords from a 94-character set.

Calculating File Size

Let’s say each password is stored as plain text in a wordlist. That means each character takes up 1 byte of space (assuming ASCII encoding). Since every password has 11 characters, each entry takes 11 bytes.

Now let’s multiply:

Total size = 452,592,555,601,246,976 passwords × 11 bytes = 4,978,518,111,613,716,736 bytes

That’s about 4.5 Petabytes — not even 1TB. So actually, if a wordlist truly covered all possible 11-character passwords using 94 possible characters, the size should be in the *petabyte* range, not just terabytes.

But the student reported that his file was only about 1TB. So, what gives?

Why Wordlists Are So Large — and Still Not “Complete”

There are several possibilities here:

  • He may not have included all 94 characters in his character set (perhaps only lowercase letters and digits, for instance).
  • He may have used a rule-based generation system that filters out unlikely combinations.
  • Compression or formatting might have reduced the file size.

But the takeaway is this: the larger the password length, the more exponential the growth of the wordlist becomes.

Why Full Wordlists Aren’t Practical

When it comes to real-world password cracking, security professionals (and hackers too) rarely use full wordlists that cover all possible combinations — especially for anything over 8 characters. Here’s why:

  • Storage: Saving a multi-terabyte or petabyte wordlist takes up enormous disk space.
  • Time: Generating such a wordlist takes hours, days, or even weeks depending on your system.
  • Efficiency: Even if you had the wordlist, trying every password in it would take a very long time — often making brute-force attacks impractical.

That’s why most professionals use targeted wordlists — for example, those generated with tools like CeWL, Crunch, or CUPP — which attempt to guess passwords based on user behavior, commonly used phrases, or social engineering data.

In short, while it’s theoretically possible to generate massive wordlists, it’s almost never done in practice for anything above 8 characters unless it’s a very specific task. Instead, cracking tools rely on smart guesses, dictionaries, and hybrid attacks that balance size and efficiency.

Final Thoughts

So yes — if you're generating a full 11-character wordlist with a full 94-character set, you’re looking at a theoretical file size of multiple petabytes. That’s why the field of password cracking has shifted towards smarter techniques instead of blindly brute-forcing massive wordlists.

Thanks for reading!

Post a Comment

0 Comments