If your risk profile is high, consider moving away from 6-digit numerical codes:
: Using TOTP (Time-based One-Time Password) ensures the code changes every 30 seconds, making a full wordlist attack mathematically impossible within the valid window.
Attackers trick mobile carriers into routing a victim's phone number to a new SIM card, allowing them to receive SMS-based OTPs directly.
). Because it only consists of numbers, it is incredibly compact compared to alphanumeric wordlists. Technical Specifications : 1,000,000 Range : 000000 to 999999 6 digit otp wordlist
If an API lacks rate limiting, a basic multi-threaded script can send 1,000 requests per second. At this speed, the entire 6-digit wordlist can be exhausted in less than , guaranteeing unauthorized access.
If you arrived at this article seeking a downloadable wordlist for malicious purposes, consider this a final warning: Unauthorized brute-force attacks violate computer crime laws, breach service terms, and can lead to civil lawsuits or criminal prosecution. Instead, use this knowledge to secure your own systems or pursue ethical security research with proper authorization.
: Increases the keyspace from 1 million to 100 million combinations ( 10810 to the eighth power If your risk profile is high, consider moving
A standard 6-digit wordlist contains every numeric combination from , totaling 1,000,000 unique possibilities. Single Guess Success Rate : (0.0001%).
In the digital age, the 6-digit One-Time Password (OTP) has become a silent sentinel guarding our most sensitive accounts—from online banking and email to social media and corporate VPNs. Every few seconds, millions of these codes are generated by apps like Google Authenticator, Authy, or sent via SMS.
An OTP must be single-use only. Once it is submitted—whether correctly or incorrectly—ensure it cannot be reused. Because it only consists of numbers, it is
Attackers will keep refining their wordlists. Tomorrow’s lists might include:
Many systems (especially poorly configured web apps) have a flaw: they don’t rate-limit OTP attempts aggressively enough. An attacker who already has a victim’s username and password (stolen via phishing or a data breach) will trigger an OTP request to the victim’s phone. Then, armed with a 6-digit wordlist, the attacker launches an automated script that tries the top 500 codes (like 123456 , 111111 , etc.) within the 60-second window. If the victim chose a weak OTP seed or the system has a long validity window (e.g., 5 minutes), the attacker breaks in.
Yet, a dark and controversial corner of the cybersecurity world revolves around a simple but dangerous search phrase:
These patterns are so common in the real world that they are a standard part of any comprehensive wordlist.
: At a rate of 1,000 guesses per second, an attacker has a 50% chance of guessing the correct code in roughly 18.5 minutes if no other protections exist. Critical Evaluation
