Difference between revisions of "Passwords"
Line 206: | Line 206: | ||
<td>[http://downloads.skullsecurity.org/passwords/tuscl-withcount.txt.bz2 tuscl-withcount.txt.bz2] (182,441 bytes)</td> | <td>[http://downloads.skullsecurity.org/passwords/tuscl-withcount.txt.bz2 tuscl-withcount.txt.bz2] (182,441 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/tuscl-withcount.txt tuscl-withcount.txt] (635,303 bytes)</td> | <td>[http://downloads.skullsecurity.org/passwords/tuscl-withcount.txt tuscl-withcount.txt] (635,303 bytes)</td> | ||
</tr> | |||
<tr> | |||
<td>[Facebook Phished]</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/facebook-phished.txt.bz2 facebook-phished.txt.bz2] (14,457 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/facebook-phished.txt facebook-phished.txt] (25,688 bytes)</td> | |||
<td rowspan='2'>2010-09</td> | |||
<td rowspan='2'>Thanks to Andrew Orr for reporting</td> | |||
</tr> | |||
<tr> | |||
<td>Facebook Phished - w/ count</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/facebook-phished-withcount.txt.bz2 facebook-phished-withcount.txt.bz2] (14,941 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/facebook-phished-withcount.txt facebook-phished-withcount.txt] (45,224 bytes)</td> | |||
</tr> | </tr> | ||
</table> | </table> |
Revision as of 02:12, 16 September 2010
Password dictionaries
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
Name | Compressed | Uncompressed | Notes |
John the Ripper | john.txt.bz2 (10,934 bytes) | john.txt (21,935 bytes) | Simple, extremely good, designed to be modified |
Cain & Able | cain.txt.bz2 (1,069,968 bytes) | cain.txt (3,149,586 bytes) | Fairly comprehensive, not ordered |
Conficker worm | conficker.txt.bz2 (1411 bytes) | conficker.txt (702 bytes) | Used by conficker worm to spread -- low quality |
500 worst passwords | 500-worst-passwords.txt.bz2 (1868 bytes) | 500-worst-passwords.txt (3493 bytes) | |
370 Banned Twitter passwords | twitter-banned.txt.bz2 (1509 bytes) | twitter-banned.txt (2780 bytes) |
Leaked passwords
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.
The best use of these is to generate or test password lists.
Note: The dates are approximate.
Name | Compressed | Uncompressed | Date | Notes |
Rockyou | rockyou.txt.bz2 (60,498,886 bytes) | rockyou.txt (139,921,497 bytes) | 2009-12 | Best list available; huge, stolen unencrypted |
Rockyou with count | rockyou-withcount.txt.bz2 (59,500,255 bytes) | rockyou-withcount.txt (254,676,625 bytes) | ||
phpbb | phpbb.txt.bz2 (868,606 bytes) | phpbb.txt (1,574,395 bytes) | 2009-01 | Ordered by commonness Cracked from md5 by Brandon Enright (97%+ coverage) |
phpbb with count | phpbb-withcount.txt.bz2 (872,867 bytes) | phpbb-withcount.txt (3,049,507 bytes) | ||
phpbb with md5 | phpbb-withmd5.txt.bz2 (4,117,887 bytes) | phpbb-withmd5.txt (7,659,241 bytes) | ||
MySpace | myspace.txt.bz2 (175,970 bytes) | myspace.txt (356,352 bytes) | 2006-10 | Captured via phishing |
MySpace - with count | myspace-withcount.txt.bz2 (179,929 bytes) | myspace-withcount.txt (653,504 bytes) | ||
Hotmail | hotmail.txt.bz2 (47,195 bytes) | hotmail.txt (87,383 bytes) | Unknown | Isn't clearly understood how these were stolen |
Hotmail with count | hotmail-withcount.txt.bz2 (47,975 bytes) | hotmail-withcount.txt (158,831 bytes) | ||
Faithwriters | faithwriters.txt.bz2 (39,327 bytes) | faithwriters.txt (72,695 bytes) | 2009-03 | Religious passwords |
Faithwriters - with count | faithwriters-withcount.txt.bz2 (40,233 bytes) | faithwriters-withcount.txt (139,480 bytes) | ||
Elitehacker | elitehacker.txt.bz2 (3,690 bytes) | elitehacker.txt (6,516 bytes) | 2009-07 | Part of zf05.txt |
Elitehacker - with count | elitehacker-withcount.txt.bz2 (3,846 bytes) | elitehacker-withcount.txt (13,676 bytes) | ||
Hak5 | hak5.txt.bz2 (16,490 bytes) | hak5.txt (24,714 bytes) | 2009-07 | Part of zf05.txt |
Hak5 - with count | hak5-withcount.txt.bz2 (16,947 bytes) | hak5-withcount.txt (43,522 bytes) | ||
Älypää | alypaa.txt.bz2 (5,178 bytes) | alypaa.txt (11,634 bytes) | 2010-03 | Finnish passwords |
alypaa - with count | alypaa-withcount.txt.bz2 (6,013 bytes) | alypaa-withcount.txt (22,706 bytes) | ||
Facebook (Pastebay) | facebook-pastebay.txt.bz2 (375 bytes) | facebook-pastebay.txt (500 bytes) | 2010-04 | Found on Pastebay; appear to be malware-stolen. |
Facebook (Pastebay) - w/ count | facebook-pastebay-withcount.txt.bz2 (407 bytes) | facebook-pastebay-withcount.txt (940 bytes) | ||
Unknown porn site | porn-unknown.txt.bz2 (30,600 bytes) | porn-unknown.txt (57,836 bytes) | 2010-08 | Found on angelfire.com. No clue where they originated, but clearly porn site. |
Unknown porn site - w/ count | porn-unknown-withcount.txt.bz2 (31,899 bytes) | porn-unknown-withcount.txt (122,548 bytes) | ||
Ultimate Strip Club List | tuscl.txt.bz2 (176,291 bytes) | tuscl.txt (324,743 bytes) | 2010-09 | Thanks to Mark Baggett for finding! |
Ultimate Strip Club List - w/ count | tuscl-withcount.txt.bz2 (182,441 bytes) | tuscl-withcount.txt (635,303 bytes) | ||
[Facebook Phished] | facebook-phished.txt.bz2 (14,457 bytes) | facebook-phished.txt (25,688 bytes) | 2010-09 | Thanks to Andrew Orr for reporting |
Facebook Phished - w/ count | facebook-phished-withcount.txt.bz2 (14,941 bytes) | facebook-phished-withcount.txt (45,224 bytes) |
Coverage (Rockyou)
I did some calculations and determined how many passwords you'd need, on average, to crack which percentage of users' passwords, based on the leaked passwords from Rockyou.com. These lists will crack the advertised amount on an average cross-section of people if no password restrictions are in place:
Passwords | Coverage | Download |
13 | 4.99% | rockyou-5.txt (104 bytes) |
92 | 10.00% | rockyou-10.txt (723 bytes) |
249 | 15.01% | rockyou-15.txt (1,943 bytes) |
512 | 20.00% | rockyou-20.txt (3,998 bytes) |
929 | 25.00% | rockyou-25.txt (7,229 bytes) |
1556 | 30.00% | rockyou-30.txt (12,160 bytes) |
2506 | 35.00% | rockyou-35.txt (19,648 bytes) |
3957 | 40.00% | rockyou-40.txt (31,220 bytes) |
6164 | 45.00% | rockyou-45.txt (49,133 bytes) |
9438 | 50.00% | rockyou-50.txt (75,912 bytes) |
14236 | 55.00% | rockyou-55.txt (115,186 bytes) |
21041 | 60.00% | rockyou-60.txt (170,244 bytes) |
30290 | 65.00% | rockyou-65.txt (244,535 bytes) |
42661 | 70.00% | rockyou-70.txt (344,231 bytes) |
59187 | 75.00% | rockyou-75.txt (478,948 bytes) |
Statistics
I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:
- cracked_500worst.png
- cracked_elitehackers.png
- cracked_faithwriters.png
- cracked_hak5.png
- cracked_hotmail.png
- cracked_myspace.png
- cracked_phpbb.png
- cracked_rockyou.png
Miscellaneous non-hacking dictionaries
These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.
Name | Compressed | Uncompressed | Notes |
English | english.txt.bz2 (1,368,101 bytes) | english.txt (4,032,153 bytes) | My combination of a couple lists, from Andrew Orr, Brandon Enright, and Seth |
German | german.txt.bz2 (2,371,487 bytes) | german.txt (8,827,974 bytes) | Compiled by Brandon Enright |
American cities | us_cities.txt.bz2 (77,081 bytes) | us_cities.txt (207,041 bytes) | Generated by RSnake |
"Porno" | porno.txt.bz2 (7,158,285 bytes) | porno.txt (46,955,376 bytes) | World's largest porno password collection! Created by Matt Weir |
Honeynet | honeynet.txt.bz2 (889,525 bytes) | honeynet.txt (2,906,298 bytes) | From a honeynet run by Joshua Gimer |
Honeynet - w/ count | honeynet-withcount.txt.bz2 (901,868 bytes) | honeynet-withcount.txt (4,040,938 bytes) | |
File locations | file-locations.txt.bz2 (1,724 bytes) | file-locations.txt (8,945 bytes) | Potential logfile locations (for LFI, etc). Thanks to Seth! |
Fuzzing strings (Python) | fuzzing-strings.txt.bz2 (276 bytes) | fuzzing-strings.txt (724 bytes) | Thanks to Seth! |
PHPMyAdmin locations | phpmyadmin-locations.txt.bz2 (304 bytes) | phpmyadmin-locations.txt (1,635 bytes) | Potential PHPMyAdmin locations. Thanks to Seth! |
Web extensions | web-extensions.txt.bz2 (117 bytes) | web-extensions.txt (139 bytes) | Common extensions for Web files. Thanks to dirb! |
Web mutations | web-mutations.txt.bz2 (177 bytes) | web-mutations.txt (244 bytes) | Common 'mutations' for Web files. Thanks to dirb! |
DirBuster has some awesome lists, too -- usernames and filenames.
Facebook lists
These are the lists I generated from this data. Some are more useful than others as password lists. All lists are sorted by commonness.
If you want a bunch of these, I highly recommend using the torrent. It's faster, and you'll get them all at once.
Name | Compressed | Uncompressed | Date | Notes |
Full names | facebook-names-unique.txt.bz2 (479,332,623 bytes) | facebook-names-unique.txt (1,609,962,544 bytes) | 2010-08 | |
Full names - w/ count | facebook-names-withcount.txt.bz2 (477,274,173 bytes) | facebook-names-withcount.txt (2,410,990,224 bytes) | ||
First names | facebook-firstnames.txt.bz2 (16,464,124 bytes) | facebook-firstnames.txt (38,352,885 bytes) | 2010-08 | |
First names - w/ count | facebook-firstnames-withcount.txt.bz2 (73,134,218 bytes) | facebook-firstnames-withcount.txt (16,375,441 bytes) | ||
Last names | facebook-lastnames.txt.bz2 (21,176,444 bytes) | facebook-lastnames.txt (48,721,637 bytes) | 2010-08 | |
Last names - w/ count | facebook-lastnames-withcount.txt.bz2 (21,166,232 bytes) | facebook-lastnames-withcount.txt (91,677,133 bytes) | ||
First initial last names | facebook-f.last.txt.bz2 (67,110,776 bytes) | facebook-f.last.txt (162,453,486 bytes) | 2010-08 | |
First initial last names - w/ count | facebook-f.last-withcount.txt.bz2 (66,348,431 bytes) | facebook-f.last-withcount.txt (300,739,870 bytes) | ||
First name last initial | facebook-first.l.txt.bz2 (37,463,798 bytes) | facebook-first.l.txt (92,986,407 bytes) | 2010-08 | |
First name last initial | facebook-first.l-withcount.txt.bz2 (36,932,295 bytes) | facebook-first.l-withcount.txt (175,729,831 bytes) |