Generate a starter wordlist from a target's domain during an authorized pentest
Build a CTF-prep dictionary that mixes a team name with year and punctuation patterns
Audit your own organization's password policy by trying common name plus year forms
Add Chinese keywords and let the extension expand them via pinyin
Requires loading an unpacked Chrome extension in developer mode, and use is restricted to environments where you have written permission.
This repository is a Chrome browser extension that generates weak-password wordlists for use in authorized penetration testing and security assessments. The author, writing in Chinese, names it Wujing Sword and is clear in the disclaimer that it is meant for jobs where the tester has permission from the target, for capture-the-flag style exercises, and for defensive research, not for breaking into systems without consent. The core idea is that organizations often pick passwords made from their own name plus a year or a common suffix, so a tester can guess them quickly with a list built from the right starting words. The extension reads the domain the user is currently on, pulls out a short keyword from it, and then combines that keyword with years and other patterns to produce a list of candidate passwords. Domain handling has a few useful behaviors. It strips common second-level country suffixes like .com.cn.edu.cn.gov.cn.co.uk, and .co.jp, so for example lydx.edu.cn becomes the keyword lydx. Plain IP addresses are skipped. The user can also add their own custom keywords, separated by commas. Chinese keywords are automatically converted to pinyin (so the university name Linyi Daxue turns into linyidaxue), and English words are kept as-is. Duplicates are removed. The extension offers nine generation rules, each producing a different pattern such as keyword@year, Keyword@year, keyword with no separator and a year, keyword with various punctuation between it and the year, account prefixes like root@keyword or sa@keyword, the reversed year@keyword form, and patterns that add common email suffixes like @qq.com or @163.com. Every rule can be output in lowercase, with a leading capital, or all uppercase, with the all-caps form behind a global toggle. Installing it is the usual unpacked-extension flow: clone or download the project, open chrome://extensions, turn on developer mode, click Load unpacked, and pick the weak-password-dict folder. Once running, the user can adjust the year range (default 2010 to 2026), edit four lists of suffixes with a restore-defaults option, copy all results at once, and download them as a text file with duplicates already removed. The license is MIT.
Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.