Valence

A CLI tool that generates targeted password candidate lists from personal profile data — built for authorized pentests and internal security audits.


Valence CLI tool

View on Official Site

So I've been doing some security work lately and kept running into the same problem: generic wordlists like rockyou.txt are massive but totally untargeted. If you're doing an authorized pentest or internal security awareness audit, you don't need millions of random passwords — you need a few thousand smart ones based on what you know about the target.

That's why I built Valence.


What is it?

Valence is a CLI tool that takes a personal profile (name, birthdate, pet's name, partner, city, etc.) and generates a deduplicated list of password candidates that mirror how real people actually create passwords.

The name comes from chemistry — the idea that atoms bond to form new structures. Here, personal data points are the atoms, and Valence bonds them together in every meaningful way.

valence -first John -last Smith -pet Max -birthdate 1990-05-15

That one command generates candidates like john123, MaxSmith!, j0hn_1990, nhoj@smith, 5m1th1990 — you get the idea.


The fun stuff it does

Leet-speak substitutions — not just simple a→@ swaps. It applies 1-, 2-, and 3-rule combinations, so you get j0hn, j@ne, $m1th, and everything in between.

Per-character toggle case — generates all 2ⁿ combinations for each token. jOhN, JoHn, jOHn... yeah, it covers them all.

Birthdate expansion — a single 1990-05-15 expands into 1990, 90, 0515, 1505, 15051990, 05151990, and more.

Phone number derivation — plug in 555-123-4567 and it automatically extracts last-4 (4567), last-6 (234567), area code (555), and the full digits.

Common-word mixing — pairs profile tokens with real-world breach-corpus words. Think johnlove, dragonsmith, ilovejohn. These show up constantly in real password dumps.

Reversed tokensnhoj, htims. Sounds weird but people actually do this.

Initials — derives JSmith and JohnS style tokens automatically.

Everything runs through a prefix → mutate → suffix → pair → word-mix → deduplicate pipeline that keeps output clean and sorted.


Two ways to use it

Interactive mode — just run valence with no flags and it walks you through everything:

Valence interactive profile builder
Leave any field blank to skip it.
 
  First name:           John
  Last name:            Smith
  Pet's name:           Max
  Date of birth:        1990-05-15
 
  Output file [john_smith.txt]:

Flag mode — great for scripting:

valence -first John -last Smith -nick Johnny \
        -partner Sarah -pet Max -child Emma \
        -phone "555-123-4567" -city Bangkok \
        -username j0hn -birthdate 1990-05-15 \
        -o john_smith.txt

Pipe it anywhere

stdout is reserved for candidates only; metadata goes to stderr. So you can pipe directly into hashcat without any cleanup:

valence -first John -pet Max | hashcat -a 0 -m 1000 hashes.txt

Or filter it:

valence -first John -birthdate 1990-05-15 | sort -u > candidates.txt

Zero dependencies

The whole core engine (pkg/profiler) runs on Go's standard library — no third-party packages. That means it's auditable, embeddable, and you can import it into your own tools.

The architecture splits the core from the CLI intentionally. pkg/profiler does the work; main.go handles I/O. Clean separation.


Installing it

Homebrew (macOS/Linux):

brew tap g4m3m4g/tap
brew install valence

curl one-liner (no Go required):

curl -fsSL https://raw.githubusercontent.com/g4m3m4g/Valence/main/scripts/install.sh | sh

Go install:

go install github.com/g4m3m4g/valence@latest

Disclaimer — This tool is strictly for authorized security work: pentests, internal audits, security awareness campaigns. Using it against accounts or individuals without explicit written authorization is illegal. The README has the full legal breakdown.

GitHub: g4m3m4g/Valence