Difference between revisions of "Passwords"

From SkullSecurity
Jump to navigation Jump to search
 
(63 intermediate revisions by 6 users not shown)
Line 1: Line 1:
<div style='background: #fde073; text-align: center; line-height: 2.5; color: black'>HEY EVERYBODY! If you like this page, please consider [https://www.patreon.com/iagox86 supporting me on Patreon]!</div>
==Password dictionaries==
==Password dictionaries==
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.


<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
<tr>
  <td width='150'><strong>Name</strong></td>
  <td width='250'><strong>Compressed</strong></td>
  <td width='250'><strong>Uncompressed</strong></td>
  <td><strong>Notes</strong></td>
</tr>
<tr>
  <td>[http://www.openwall.com/john/ John the Ripper]</td>
  <td>[http://downloads.skullsecurity.org/passwords/john.txt.bz2 john.txt.bz2] (10,934 bytes)</td>
  <td>n/a</td>
  <td>Simple, extremely good, designed to be modified</td>
</tr>
<tr>
  <td>[http://www.oxid.it/cain.html Cain & Abel]</td>
  <td>[http://downloads.skullsecurity.org/passwords/cain.txt.bz2 cain.txt.bz2] (1,069,968 bytes)</td>
  <td>n/a</td>
  <td>Fairly comprehensive, not ordered</td>
</tr>
<tr>
  <td>Conficker worm</td>
  <td>[http://downloads.skullsecurity.org/passwords/conficker.txt.bz2 conficker.txt.bz2] (1411 bytes)</td>
  <td>n/a</td>
  <td>Used by conficker worm to spread -- low quality</td>
</tr>
<tr>
  <td>[http://www.whatsmypass.com/?p=415 500 worst passwords]</td>
  <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 500-worst-passwords.txt.bz2] (1868 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>[http://techcrunch.com/2009/12/27/twitter-banned-passwords/ 370 Banned Twitter passwords]</td>
  <td>[http://downloads.skullsecurity.org/passwords/twitter-banned.txt.bz2 twitter-banned.txt.bz2] (1509 bytes)</td>
  <td>n/a</td>
</tr>
</table>
==Leaked passwords==
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.
The best use of these is to generate or test password lists.
Note: The dates are approximate.
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
<tr>
  <td width='180'><strong>Name</strong></td>
  <td width='280'><strong>Compressed</strong></td>
  <td width='280'><strong>Uncompressed</strong></td>
  <td width='50'><strong>Date</strong></td>
  <td><strong>Notes</strong></td>
</tr>
<tr>
  <td>Rockyou</td>
  <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 rockyou.txt.bz2] (60,498,886 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2009-12</td>
  <td rowspan='2'>Best list available; huge, stolen unencrypted</td>
</tr>
<tr>
  <td>Rockyou with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2 rockyou-withcount.txt.bz2] (59,500,255 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>phpbb</td>
  <td>[http://downloads.skullsecurity.org/passwords/phpbb.txt.bz2 phpbb.txt.bz2] (868,606 bytes)</td>
  <td>n/a</td>
  <td rowspan='3'>2009-01</td>
  <td rowspan='3'>Ordered by commonness<br>Cracked from md5 by Brandon Enright<br>(97%+ coverage)</td>
</tr>
<tr>
  <td>phpbb with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/phpbb-withcount.txt.bz2 phpbb-withcount.txt.bz2] (872,867 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>phpbb with md5</td>
  <td>[http://downloads.skullsecurity.org/passwords/phpbb-withmd5.txt.bz2 phpbb-withmd5.txt.bz2] (4,117,887 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>MySpace</td>
  <td>[http://downloads.skullsecurity.org/passwords/myspace.txt.bz2 myspace.txt.bz2] (175,970 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2006-10</td>
  <td rowspan='2'>Captured via phishing</td>
</tr>
<tr>
  <td>MySpace - with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/myspace-withcount.txt.bz2 myspace-withcount.txt.bz2] (179,929 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>Hotmail</td>
  <td>[http://downloads.skullsecurity.org/passwords/hotmail.txt.bz2 hotmail.txt.bz2] (47,195 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>Unknown</td>
  <td rowspan='2'>Isn't clearly understood how these were stolen</td>
</tr>
<tr>
  <td>Hotmail with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/hotmail-withcount.txt.bz2 hotmail-withcount.txt.bz2] (47,975 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>[http://forums.crosswalk.com/m_4252083/mpage_1/tm.htm Faithwriters]</td>
  <td>[http://downloads.skullsecurity.org/passwords/faithwriters.txt.bz2 faithwriters.txt.bz2] (39,327 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2009-03</td>
  <td rowspan='2'>Religious passwords</td>
</tr>
<tr>
  <td>Faithwriters - with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/faithwriters-withcount.txt.bz2 faithwriters-withcount.txt.bz2] (40,233 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>Elitehacker</td>
  <td>[http://downloads.skullsecurity.org/passwords/elitehacker.txt.bz2 elitehacker.txt.bz2] (3,690 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2009-07</td>
  <td rowspan='2'>Part of zf05.txt</td>
</tr>
<tr>
  <td>Elitehacker - with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/elitehacker-withcount.txt.bz2 elitehacker-withcount.txt.bz2] (3,846 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>Hak5</td>
  <td>[http://downloads.skullsecurity.org/passwords/hak5.txt.bz2 hak5.txt.bz2] (16,490 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2009-07</td>
  <td rowspan='2'>Part of zf05.txt</td>
</tr>
<tr>
  <td>Hak5 - with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/hak5-withcount.txt.bz2 hak5-withcount.txt.bz2] (16,947 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>[http://www.f-secure.com/weblog/archives/00001915.html Älypää]</td>
  <td>[http://downloads.skullsecurity.org/passwords/alypaa.txt.bz2 alypaa.txt.bz2] (5,178 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-03</td>
  <td rowspan='2'>Finnish passwords</td>
</tr>
<tr>
  <td>[http://www.f-secure.com/weblog/archives/00001915.html alypaa] - with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/alypaa-withcount.txt.bz2 alypaa-withcount.txt.bz2] (6,013 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>[http://twitter.com/FSLabsAdvisor/status/12585285761 Facebook (Pastebay)]</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-pastebay.txt.bz2 facebook-pastebay.txt.bz2] (375 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-04</td>
  <td rowspan='2'>Found on Pastebay;<br>appear to be malware-stolen.</td>
</tr>
<tr>
  <td>[http://twitter.com/FSLabsAdvisor/status/12585285761 Facebook (Pastebay)] - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-pastebay-withcount.txt.bz2 facebook-pastebay-withcount.txt.bz2] (407 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>Unknown porn site</td>
  <td>[http://downloads.skullsecurity.org/passwords/porn-unknown.txt.bz2 porn-unknown.txt.bz2] (30,600 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>Found on angelfire.com. No clue where they originated, but clearly porn site.</td>
</tr>
<tr>
  <td>Unknown porn site - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/porn-unknown-withcount.txt.bz2 porn-unknown-withcount.txt.bz2] (31,899 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>[http://sla.ckers.org/forum/read.php?3,35591 Ultimate Strip Club List]</td>
  <td>[http://downloads.skullsecurity.org/passwords/tuscl.txt.bz2 tuscl.txt.bz2] (176,291 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-09</td>
  <td rowspan='2'>Thanks to Mark Baggett for finding!</td>
</tr>
<tr>
  <td>Ultimate Strip Club List - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/tuscl-withcount.txt.bz2 tuscl-withcount.txt.bz2] (182,441 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>[Facebook Phished]</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-phished.txt.bz2 facebook-phished.txt.bz2] (14,457 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-09</td>
  <td rowspan='2'>Thanks to Andrew Orr for reporting</td>
</tr>
<tr>
  <td>Facebook Phished - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-phished-withcount.txt.bz2 facebook-phished-withcount.txt.bz2] (14,941 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>Carders.cc</td>
  <td>[http://downloads.skullsecurity.org/passwords/carders.cc.txt.bz2 carders.cc.txt.bz2] (8,936 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-05</td>
  <td rowspan='2'></td>
</tr>
<tr>
  <td>Carders.cc - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/carders.cc-withcount.txt.bz2 carders.cc-withcount.txt.bz2] (9,774 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>Singles.org</td>
  <td>[http://downloads.skullsecurity.org/passwords/singles.org.txt.bz2 singles.org.txt.bz2] (50,697 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-10</td>
  <td rowspan='2'></td>
</tr>
<tr>
  <td>Singles.org - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/singles.org-withcount.txt.bz2 singles.org-withcount.txt.bz2] (52,884 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>Unnamed financial site</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
  <td rowspan='2'>2010-12</td>
  <td rowspan='2'></td>
</tr>
<tr>
<tr>
<td>Name</td>
  <td>Unnamed financial site - w/ count</td>
<td>Compressed</td>
  <td>(reserved)</td>
<td>Uncompressed</td>
  <td>(reserved)</td>
<td>Notes</td>
</tr>
</tr>
<tr>
<tr>
<td>[http://www.oxid.it/cain.html Cain & Able]</td>
  <td>Gawker</td>
<td>[http://downloads.skullsecurity.org/passwords/List-cain.txt.bz2 List-cain.txt.bz2] 1,069,968 bytes</td>
  <td>(reserved)</td>
<td>[http://downloads.skullsecurity.org/passwords/List-cain.txt List-cain.txt] 3,149,586 bytes</td>
  <td>(reserved)</td>
<td>Fairly comprehensive</td>
  <td rowspan='2'>2010-12</td>
  <td rowspan='2'></td>
</tr>
<tr>
  <td>Gawker - w/ count</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
</tr>
 
<tr>
  <td>Free-Hack.com</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
  <td rowspan='2'>2010-12</td>
  <td rowspan='2'></td>
</tr>
</tr>
<tr>
<tr>
<td>[http://www.openwall.com/john/ John the Ripper]</td>
  <td>Free-Hack.com w/count</td>
<td>[http://downloads.skullsecurity.org/passwords/List-john.txt.bz2 List-john.txt.bz2] 10,934 bytes</td>
  <td>(reserved)</td>
<td>[http://downloads.skullsecurity.org/passwords/List-john.txt List-john.txt] 21,935 bytes</td>
  <td>(reserved)</td>
<td>Simple, designed to be modified</td>
</tr>
</tr>


<tr>
<tr>
<td>Conficker worm</td>
  <td>Carders.cc (second time hacked)</td>
<td>[http://downloads.skullsecurity.org/passwords/Connficker.txt.bz2 Conficker.txt.bz2] 1411 bytes</td>
  <td>(reserved)</td>
<td>[http://downloads.skullsecurity.org/passwords/Connficker.txt Conficker.txt] 702 bytes</td>
  <td>(reserved)</td>
<td>Used by conficker worm to spread</td>
  <td rowspan='2'>2010-12</td>
  <td rowspan='2'></td>
</tr>
</tr>
<tr>
  <td>Carders.cc w/count (second time hacked)</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
</tr>
</table>
===Statistics===
I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:
* [http://www.skullsecurity.org/blogdata/cracked_500worst.png cracked_500worst.png]
* [http://www.skullsecurity.org/blogdata/cracked_elitehackers.png cracked_elitehackers.png]
* [http://www.skullsecurity.org/blogdata/cracked_faithwriters.png cracked_faithwriters.png]
* [http://www.skullsecurity.org/blogdata/cracked_hak5.png cracked_hak5.png]
* [http://www.skullsecurity.org/blogdata/cracked_hotmail.png cracked_hotmail.png]
* [http://www.skullsecurity.org/blogdata/cracked_myspace.png cracked_myspace.png]
* [http://www.skullsecurity.org/blogdata/cracked_phpbb.png cracked_phpbb.png]
* [http://www.skullsecurity.org/blogdata/cracked_rockyou.png cracked_rockyou.png]
==Miscellaneous non-hacking dictionaries==
These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
<tr>
  <td width='120'><strong>Name</strong></td>
  <td width='300'><strong>Compressed</strong></td>
  <td width='300'><strong>Uncompressed</strong></td>
  <td><strong>Notes</strong></td>
</tr>
<tr>
  <td>English</td>
  <td>[http://downloads.skullsecurity.org/passwords/english.txt.bz2 english.txt.bz2] (1,368,101 bytes)</td>
  <td>n/a</td>
  <td>My combination of a couple lists, from [https://twitter.com/xorrbit Andrew Orr], Brandon Enright, and [http://xd-blog.com.ar/ Seth]</td>
</tr>
<tr>
  <td>German</td>
  <td>[http://downloads.skullsecurity.org/passwords/german.txt.bz2 german.txt.bz2] (2,371,487 bytes)</td>
  <td>n/a</td>
  <td>Compiled by Brandon Enright</td>
</tr>
<tr>
  <td>[http://ha.ckers.org/blog/20090417/us-cities-dictionary/ American cities]</td>
  <td>[http://downloads.skullsecurity.org/passwords/us_cities.txt.bz2 us_cities.txt.bz2] (77,081 bytes)</td>
  <td>n/a</td>
  <td>Generated by RSnake</td>
</tr>
<tr>
  <td>"Porno"</td>
  <td>[http://downloads.skullsecurity.org/passwords/porno.txt.bz2 porno.txt.bz2] (7,158,285 bytes)</td>
  <td>n/a</td>
  <td>World's largest porno password collection!<br>Created by [http://reusablesec.blogspot.com/ Matt Weir]
</tr>


==Leaked passwords==
<tr>
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does.
  <td>Honeynet</td>
  <td>[http://downloads.skullsecurity.org/passwords/honeynet.txt.bz2 honeynet.txt.bz2] (889,525 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>From a honeynet run by [http://twitter.com/jgimer Joshua Gimer]</td>
</tr>
<tr>
  <td>Honeynet - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/honeynet-withcount.txt.bz2 honeynet-withcount.txt.bz2] (901,868 bytes)</td>
  <td>n/a</td>
</tr>
 
<tr>
  <td>File locations</td>
  <td>[http://downloads.skullsecurity.org/passwords/file-locations.txt.bz2 file-locations.txt.bz2] (1,724 bytes)</td>
  <td>n/a</td>
  <td>Potential logfile locations (for LFI, etc).<br>Thanks to [http://xd-blog.com.ar/ Seth]!</td>
</tr>
 
<tr>
  <td>Fuzzing strings (Python)</td>
  <td>[http://downloads.skullsecurity.org/passwords/fuzzing-strings.txt.bz2 fuzzing-strings.txt.bz2] (276 bytes)</td>
  <td>n/a</td>
  <td>Thanks to [http://xd-blog.com.ar/ Seth]!</td>
</tr>
 
<tr>
  <td>PHPMyAdmin locations</td>
  <td>[http://downloads.skullsecurity.org/passwords/phpmyadmin-locations.txt.bz2 phpmyadmin-locations.txt.bz2] (304 bytes)</td>
  <td>n/a</td>
  <td>Potential PHPMyAdmin locations.<br>Thanks to [http://xd-blog.com.ar/ Seth]!</td>
</tr>
 
<tr>
  <td>Web extensions</td>
  <td>[http://downloads.skullsecurity.org/passwords/web-extensions.txt.bz2 web-extensions.txt.bz2] (117 bytes)</td>
  <td>n/a</td>
  <td>Common extensions for Web files.<br>Thanks to [http://www.open-labs.org/ dirb]!</td>
</tr>
 
<tr>
  <td>Web mutations</td>
  <td>[http://downloads.skullsecurity.org/passwords/web-mutations.txt.bz2 web-mutations.txt.bz2] (177 bytes)</td>
  <td>n/a</td>
  <td>Common 'mutations' for Web files.<br>Thanks to [http://www.open-labs.org/ dirb]!</td>
</tr>
 
 
</table>
[http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project#tab=Download DirBuster] has some awesome lists, too -- usernames and filenames.
 
===Facebook lists===
These are the lists I generated from [http://www.skullsecurity.org/blog/?p=887 this data]. Some are more useful than others as password lists. All lists are sorted by commonness.
 
If you want a bunch of these, I highly recommend using [http://www.skullsecurity.org/blogdata/fbdata.torrent the torrent]. It's faster, and you'll get them all at once.
 
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
<tr>
  <td width='180'><strong>Name</strong></td>
  <td width='320'><strong>Compressed</strong></td>
  <td width='320'><strong>Uncompressed</strong></td>
  <td width='50'><strong>Date</strong></td>
  <td><strong>Notes</strong></td>
</tr>
 
<tr>
  <td>Full names</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-names-unique.txt.bz2 facebook-names-unique.txt.bz2] (479,332,623 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>Full names - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-names-withcount.txt.bz2 facebook-names-withcount.txt.bz2] (477,274,173 bytes)</td>
  <td>n/a</td>
</tr>
 
<tr>
  <td>First names</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-firstnames.txt.bz2 facebook-firstnames.txt.bz2] (16,464,124 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>First names - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-firstnames-withcount.txt.bz2 facebook-firstnames-withcount.txt.bz2] (73,134,218 bytes)</td>
  <td>n/a</td>
</tr>


List of passwords stolen from MySpace (not by me!), covers most common modern passwords: [http://downloads.skullsecurity.org/passwords/List-myspace.txt.bz2 List-myspace.txt]
<tr>
List of passwords stolen from MySpace with associated counts (not useful for bruteforcing, but great for studying): [http://downloads.skullsecurity.org/passwords/Myspace-counts.txt.bz2 Myspace-counts.txt]
  <td>Last names</td>
List of passwords stolen from PHPBB (not by me!), covers most easy to crack modern passwords: [http://downloads.skullsecurity.org/passwords/List-phpbb.txt.bz2 List-phpbb.txt]
  <td>[http://downloads.skullsecurity.org/passwords/facebook-lastnames.txt.bz2 facebook-lastnames.txt.bz2] (21,176,444 bytes)</td>
List of passwords stolen from PHPBB with associated counts (not useful for bruteforcing, but great for studying): [http://downloads.skullsecurity.org/passwords/Phpbb-counts.txt.bz2 Phpbb-counts.txt]
  <td>n/a</td>
Rockyou leaked passwords (32 million passwords) -- LARGE download (150mb+) -- thanks to Mark Baggett for the list:
  <td rowspan='2'>2010-08</td>
* Ordered by commonness: [http://downloads.skullsecurity.org/passwords/rockyou-unique-bycount.txt.bz2 rockyou-unique-bycount.txt]
  <td rowspan='2'>&nbsp;</td>
* With associated counts: [http://downloads.skullsecurity.org/passwords/rockyou-unique-withcount.txt.bz2 rockyou-unique-withcount.txt]
</tr>
* Original list: [http://downloads.skullsecurity.org/passwords/rockyou-full.txt.bz2 rockyou-full.txt]
<tr>
  <td>Last names - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-lastnames-withcount.txt.bz2 facebook-lastnames-withcount.txt.bz2] (21,166,232 bytes)</td>
  <td>n/a</td>
</tr>


All English words: [http://downloads.skullsecurity.org/passwords/English.txt.bz2 English.txt]
<tr>
Another English word file, helpfully provided by BlackFrog: [http://downloads.skullsecurity.org/passwords/English2.txt.bz2 English2.txt]
  <td>First initial last names</td>
A German password list, ordered by length and then alphabetically. It's released under GPL (is that even valid? whatever), so I left the header intact -- make sure you remove it if you don't want to try the lines as passwords: [http://downloads.skullsecurity.org/passwords/German_list.txt.bz2 German_list.txt]
  <td>[http://downloads.skullsecurity.org/passwords/facebook-f.last.txt.bz2 facebook-f.last.txt.bz2] (67,110,776 bytes)</td>
List of American cities, generated by [http://ha.ckers.org/blog/20090417/us-cities-dictionary/ RSnake]: [http://downloads.skullsecurity.org/passwords/US_Cities.txt.bz2 US_Cities.txt]
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>First initial last names - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-f.last-withcount.txt.bz2 facebook-f.last-withcount.txt.bz2] (66,348,431 bytes)</td>
  <td>n/a</td>
</tr>


List of "500 worst passwords of all time", from [http://www.whatsmypass.com/?p=415 this story]: [http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 500-worst-passwords.txt]
<tr>
  <td>First name last initial</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-first.l.txt.bz2 facebook-first.l.txt.bz2] (37,463,798 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>First name last initial</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-first.l-withcount.txt.bz2 facebook-first.l-withcount.txt.bz2] (36,932,295 bytes)</td>
  <td>n/a</td>
</tr>
</table>

Latest revision as of 23:53, 18 May 2015

HEY EVERYBODY! If you like this page, please consider supporting me on Patreon!


Password dictionaries

These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.

Name Compressed Uncompressed Notes
John the Ripper john.txt.bz2 (10,934 bytes) n/a Simple, extremely good, designed to be modified
Cain & Abel cain.txt.bz2 (1,069,968 bytes) n/a Fairly comprehensive, not ordered
Conficker worm conficker.txt.bz2 (1411 bytes) n/a Used by conficker worm to spread -- low quality
500 worst passwords 500-worst-passwords.txt.bz2 (1868 bytes) n/a
370 Banned Twitter passwords twitter-banned.txt.bz2 (1509 bytes) n/a

Leaked passwords

Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.

The best use of these is to generate or test password lists.

Note: The dates are approximate.

Name Compressed Uncompressed Date Notes
Rockyou rockyou.txt.bz2 (60,498,886 bytes) n/a 2009-12 Best list available; huge, stolen unencrypted
Rockyou with count rockyou-withcount.txt.bz2 (59,500,255 bytes) n/a
phpbb phpbb.txt.bz2 (868,606 bytes) n/a 2009-01 Ordered by commonness
Cracked from md5 by Brandon Enright
(97%+ coverage)
phpbb with count phpbb-withcount.txt.bz2 (872,867 bytes) n/a
phpbb with md5 phpbb-withmd5.txt.bz2 (4,117,887 bytes) n/a
MySpace myspace.txt.bz2 (175,970 bytes) n/a 2006-10 Captured via phishing
MySpace - with count myspace-withcount.txt.bz2 (179,929 bytes) n/a
Hotmail hotmail.txt.bz2 (47,195 bytes) n/a Unknown Isn't clearly understood how these were stolen
Hotmail with count hotmail-withcount.txt.bz2 (47,975 bytes) n/a
Faithwriters faithwriters.txt.bz2 (39,327 bytes) n/a 2009-03 Religious passwords
Faithwriters - with count faithwriters-withcount.txt.bz2 (40,233 bytes) n/a
Elitehacker elitehacker.txt.bz2 (3,690 bytes) n/a 2009-07 Part of zf05.txt
Elitehacker - with count elitehacker-withcount.txt.bz2 (3,846 bytes) n/a
Hak5 hak5.txt.bz2 (16,490 bytes) n/a 2009-07 Part of zf05.txt
Hak5 - with count hak5-withcount.txt.bz2 (16,947 bytes) n/a
Älypää alypaa.txt.bz2 (5,178 bytes) n/a 2010-03 Finnish passwords
alypaa - with count alypaa-withcount.txt.bz2 (6,013 bytes) n/a
Facebook (Pastebay) facebook-pastebay.txt.bz2 (375 bytes) n/a 2010-04 Found on Pastebay;
appear to be malware-stolen.
Facebook (Pastebay) - w/ count facebook-pastebay-withcount.txt.bz2 (407 bytes) n/a
Unknown porn site porn-unknown.txt.bz2 (30,600 bytes) n/a 2010-08 Found on angelfire.com. No clue where they originated, but clearly porn site.
Unknown porn site - w/ count porn-unknown-withcount.txt.bz2 (31,899 bytes) n/a
Ultimate Strip Club List tuscl.txt.bz2 (176,291 bytes) n/a 2010-09 Thanks to Mark Baggett for finding!
Ultimate Strip Club List - w/ count tuscl-withcount.txt.bz2 (182,441 bytes) n/a
[Facebook Phished] facebook-phished.txt.bz2 (14,457 bytes) n/a 2010-09 Thanks to Andrew Orr for reporting
Facebook Phished - w/ count facebook-phished-withcount.txt.bz2 (14,941 bytes) n/a
Carders.cc carders.cc.txt.bz2 (8,936 bytes) n/a 2010-05
Carders.cc - w/ count carders.cc-withcount.txt.bz2 (9,774 bytes) n/a
Singles.org singles.org.txt.bz2 (50,697 bytes) n/a 2010-10
Singles.org - w/ count singles.org-withcount.txt.bz2 (52,884 bytes) n/a
Unnamed financial site (reserved) (reserved) 2010-12
Unnamed financial site - w/ count (reserved) (reserved)
Gawker (reserved) (reserved) 2010-12
Gawker - w/ count (reserved) (reserved)
Free-Hack.com (reserved) (reserved) 2010-12
Free-Hack.com w/count (reserved) (reserved)
Carders.cc (second time hacked) (reserved) (reserved) 2010-12
Carders.cc w/count (second time hacked) (reserved) (reserved)

Statistics

I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:

Miscellaneous non-hacking dictionaries

These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.

Name Compressed Uncompressed Notes
English english.txt.bz2 (1,368,101 bytes) n/a My combination of a couple lists, from Andrew Orr, Brandon Enright, and Seth
German german.txt.bz2 (2,371,487 bytes) n/a Compiled by Brandon Enright
American cities us_cities.txt.bz2 (77,081 bytes) n/a Generated by RSnake
"Porno" porno.txt.bz2 (7,158,285 bytes) n/a World's largest porno password collection!
Created by Matt Weir
Honeynet honeynet.txt.bz2 (889,525 bytes) n/a From a honeynet run by Joshua Gimer
Honeynet - w/ count honeynet-withcount.txt.bz2 (901,868 bytes) n/a
File locations file-locations.txt.bz2 (1,724 bytes) n/a Potential logfile locations (for LFI, etc).
Thanks to Seth!
Fuzzing strings (Python) fuzzing-strings.txt.bz2 (276 bytes) n/a Thanks to Seth!
PHPMyAdmin locations phpmyadmin-locations.txt.bz2 (304 bytes) n/a Potential PHPMyAdmin locations.
Thanks to Seth!
Web extensions web-extensions.txt.bz2 (117 bytes) n/a Common extensions for Web files.
Thanks to dirb!
Web mutations web-mutations.txt.bz2 (177 bytes) n/a Common 'mutations' for Web files.
Thanks to dirb!

DirBuster has some awesome lists, too -- usernames and filenames.

Facebook lists

These are the lists I generated from this data. Some are more useful than others as password lists. All lists are sorted by commonness.

If you want a bunch of these, I highly recommend using the torrent. It's faster, and you'll get them all at once.

Name Compressed Uncompressed Date Notes
Full names facebook-names-unique.txt.bz2 (479,332,623 bytes) n/a 2010-08  
Full names - w/ count facebook-names-withcount.txt.bz2 (477,274,173 bytes) n/a
First names facebook-firstnames.txt.bz2 (16,464,124 bytes) n/a 2010-08  
First names - w/ count facebook-firstnames-withcount.txt.bz2 (73,134,218 bytes) n/a
Last names facebook-lastnames.txt.bz2 (21,176,444 bytes) n/a 2010-08  
Last names - w/ count facebook-lastnames-withcount.txt.bz2 (21,166,232 bytes) n/a
First initial last names facebook-f.last.txt.bz2 (67,110,776 bytes) n/a 2010-08  
First initial last names - w/ count facebook-f.last-withcount.txt.bz2 (66,348,431 bytes) n/a
First name last initial facebook-first.l.txt.bz2 (37,463,798 bytes) n/a 2010-08  
First name last initial facebook-first.l-withcount.txt.bz2 (36,932,295 bytes) n/a