The million possible combinations seem formidable—until you realize that 90% of users choose from only 1,000 of them. Build your defenses accordingly.
| Scenario | Total Possible Codes | Attempts per Second | Time to 50% Success (Full list) | Time to 50% Success (Top 1,000 list) | | :--- | :--- | :--- | :--- | :--- | | (no rate limit) | 1,000,000 | 100 | ~83 minutes | ~5 seconds | | Ideal (rate limit: 3 attempts/min) | 1,000,000 | 0.05 | ~347 days | ~11 hours | | Vulnerable (no lockout, 10 attempts/sec) | 1,000,000 | 10 | ~14 hours | < 2 minutes | 6 digit otp wordlist
Most apps lock you out after 3 to 5 failed attempts. Even with a million-number list, a hacker only gets five shots. Short Lifespans: Even with a million-number list, a hacker only
(an ethical hacker), this wordlist is a diagnostic tool. They use it to ensure that a company’s "forgot password" or "login" screen properly rejects multiple failed attempts. If the wordlist works, the developer knows they need to add a "cooldown" timer or a CAPTCHA to protect their users. The takeaway? If the wordlist works, the developer knows they
: The probability of guessing a random 6-digit code on the first attempt is 1 in 1,000,000 Common Use Cases Penetration Testing
If the OTP is generated by a human (e.g., a user-chosen PIN for a banking app) rather than a cryptographically secure pseudo-random number generator (CSPRNG), patterns emerge. A targeted wordlist may prioritize:
You don’t actually need to download a wordlist; you can generate one in seconds using simple command-line tools or Python. This is safer than downloading files from untrusted sources, which often contain malware.