The rules define various modifications of password candidates. Such alterations include replacing and swapping of characters and substrings, password truncation, etc. Hashcat and Fitcrack currently supports over 70 different password-mangling rules. The complete list of possible rules can be found on hashcat website.

While the combinator and hybrid attacks allow the use of only one rule definition for each part, the dictionary attack can use a ruleset file.

A ruleset file is a text file which can contain one or more password-mangling rules on each line. The rules are applied to all candidate passwords in the following way: the first candidate password is modified by rules on the first line of the ruleset; the result is used. Then, the rules on the second line of the ruleset are applied to the original password; the result is used. Eventually, the entire ruleset is processed. The same password-mangling principle is applied to the second candidate password, third candidate password, until Fitcrack eventually reaches the end of the password dictionary.