Difference between revisions of "Passwords"

From SkullSecurity
Jump to navigation Jump to search
 
(42 intermediate revisions by 6 users not shown)
Line 1: Line 1:
<div style='background: #fde073; text-align: center; line-height: 2.5; color: black'>HEY EVERYBODY! If you like this page, please consider [https://www.patreon.com/iagox86 supporting me on Patreon]!</div>
==Password dictionaries==
==Password dictionaries==
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
Line 13: Line 16:
   <td>[http://www.openwall.com/john/ John the Ripper]</td>
   <td>[http://www.openwall.com/john/ John the Ripper]</td>
   <td>[http://downloads.skullsecurity.org/passwords/john.txt.bz2 john.txt.bz2] (10,934 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/john.txt.bz2 john.txt.bz2] (10,934 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/john.txt john.txt] (21,935 bytes)</td>
   <td>n/a</td>
   <td>Simple, extremely good, designed to be modified</td>
   <td>Simple, extremely good, designed to be modified</td>
  </tr>
  </tr>


  <tr>
  <tr>
   <td>[http://www.oxid.it/cain.html Cain & Able]</td>
   <td>[http://www.oxid.it/cain.html Cain & Abel]</td>
   <td>[http://downloads.skullsecurity.org/passwords/cain.txt.bz2 cain.txt.bz2] (1,069,968 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/cain.txt.bz2 cain.txt.bz2] (1,069,968 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/cain.txt cain.txt] (3,149,586 bytes)</td>
   <td>n/a</td>
   <td>Fairly comprehensive, not ordered</td>
   <td>Fairly comprehensive, not ordered</td>
  </tr>
  </tr>
Line 27: Line 30:
   <td>Conficker worm</td>
   <td>Conficker worm</td>
   <td>[http://downloads.skullsecurity.org/passwords/conficker.txt.bz2 conficker.txt.bz2] (1411 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/conficker.txt.bz2 conficker.txt.bz2] (1411 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/conficker.txt conficker.txt] (702 bytes)</td>
   <td>n/a</td>
   <td>Used by conficker worm to spread -- low quality</td>
   <td>Used by conficker worm to spread -- low quality</td>
  </tr>
  </tr>
Line 34: Line 37:
   <td>[http://www.whatsmypass.com/?p=415 500 worst passwords]</td>
   <td>[http://www.whatsmypass.com/?p=415 500 worst passwords]</td>
   <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 500-worst-passwords.txt.bz2] (1868 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 500-worst-passwords.txt.bz2] (1868 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt 500-worst-passwords.txt] (3493 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>


Line 40: Line 43:
   <td>[http://techcrunch.com/2009/12/27/twitter-banned-passwords/ 370 Banned Twitter passwords]</td>
   <td>[http://techcrunch.com/2009/12/27/twitter-banned-passwords/ 370 Banned Twitter passwords]</td>
   <td>[http://downloads.skullsecurity.org/passwords/twitter-banned.txt.bz2 twitter-banned.txt.bz2] (1509 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/twitter-banned.txt.bz2 twitter-banned.txt.bz2] (1509 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/twitter-banned.txt twitter-banned.txt] (2780 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>
</table>
</table>


==Leaked passwords==
==Leaked passwords==
Line 49: Line 51:


The best use of these is to generate or test password lists.  
The best use of these is to generate or test password lists.  
Note: The dates are approximate.
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
  <tr>
  <tr>
   <td width='150'><strong>Name</strong></td>
   <td width='180'><strong>Name</strong></td>
   <td width='280'><strong>Compressed</strong></td>
   <td width='280'><strong>Compressed</strong></td>
   <td width='280'><strong>Uncompressed</strong></td>
   <td width='280'><strong>Uncompressed</strong></td>
  <td width='50'><strong>Date</strong></td>
   <td><strong>Notes</strong></td>
   <td><strong>Notes</strong></td>
  </tr>
  </tr>
Line 60: Line 65:
   <td>Rockyou</td>
   <td>Rockyou</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 rockyou.txt.bz2] (60,498,886 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 rockyou.txt.bz2] (60,498,886 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt rockyou.txt] (139,921,497 bytes)</td>
   <td>n/a</td>
  <td rowspan='2'>2009-12</td>
   <td rowspan='2'>Best list available; huge, stolen unencrypted</td>
   <td rowspan='2'>Best list available; huge, stolen unencrypted</td>
  </tr>
  </tr>
Line 66: Line 72:
   <td>Rockyou with count</td>
   <td>Rockyou with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2 rockyou-withcount.txt.bz2] (59,500,255 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2 rockyou-withcount.txt.bz2] (59,500,255 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt rockyou-withcount.txt] (254,676,625 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>


Line 72: Line 78:
   <td>phpbb</td>
   <td>phpbb</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb.txt.bz2 phpbb.txt.bz2] (868,606 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb.txt.bz2 phpbb.txt.bz2] (868,606 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb.txt phpbb.txt] (1,574,395 bytes)</td>
   <td>n/a</td>
   <td rowspan='3'>Ordered by commonness<br>Cracked from md5 by Brandon Enright (97%+ coverage)</td>
  <td rowspan='3'>2009-01</td>
   <td rowspan='3'>Ordered by commonness<br>Cracked from md5 by Brandon Enright<br>(97%+ coverage)</td>
  </tr>
  </tr>
  <tr>
  <tr>
   <td>phpbb with count</td>
   <td>phpbb with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb-withcount.txt.bz2 phpbb-withcount.txt.bz2] (872,867 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb-withcount.txt.bz2 phpbb-withcount.txt.bz2] (872,867 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb-withcount.txt phpbb-withcount.txt] (3,049,507 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>
  <tr>
  <tr>
   <td>phpbb with md5</td>
   <td>phpbb with md5</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb-withmd5.txt.bz2 phpbb-withmd5.txt.bz2] (4,117,887 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb-withmd5.txt.bz2 phpbb-withmd5.txt.bz2] (4,117,887 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/phpbb-withmd5.txt phpbb-withmd5.txt] (7,659,241 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>


Line 89: Line 96:
   <td>MySpace</td>
   <td>MySpace</td>
   <td>[http://downloads.skullsecurity.org/passwords/myspace.txt.bz2 myspace.txt.bz2] (175,970 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/myspace.txt.bz2 myspace.txt.bz2] (175,970 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/myspace.txt myspace.txt] (356,352 bytes)</td>
   <td>n/a</td>
  <td rowspan='2'>2006-10</td>
   <td rowspan='2'>Captured via phishing</td>
   <td rowspan='2'>Captured via phishing</td>
  </tr>
  </tr>
Line 95: Line 103:
   <td>MySpace - with count</td>
   <td>MySpace - with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/myspace-withcount.txt.bz2 myspace-withcount.txt.bz2] (179,929 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/myspace-withcount.txt.bz2 myspace-withcount.txt.bz2] (179,929 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/myspace-withcount.txt myspace-withcount.txt] (653,504 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>


Line 101: Line 109:
   <td>Hotmail</td>
   <td>Hotmail</td>
   <td>[http://downloads.skullsecurity.org/passwords/hotmail.txt.bz2 hotmail.txt.bz2] (47,195 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hotmail.txt.bz2 hotmail.txt.bz2] (47,195 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hotmail.txt hotmail.txt] (87,383 bytes)</td>
   <td>n/a</td>
  <td rowspan='2'>Unknown</td>
   <td rowspan='2'>Isn't clearly understood how these were stolen</td>
   <td rowspan='2'>Isn't clearly understood how these were stolen</td>
  </tr>
  </tr>
Line 107: Line 116:
   <td>Hotmail with count</td>
   <td>Hotmail with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/hotmail-withcount.txt.bz2 hotmail-withcount.txt.bz2] (47,975 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hotmail-withcount.txt.bz2 hotmail-withcount.txt.bz2] (47,975 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hotmail-withcount.txt hotmail-withcount.txt] (158,831 bytes)</td>
   <td>n/a</td>
  </tr>  
  </tr>  
   
   
  <tr>
  <tr>
   <td>Faithwriters</td>
   <td>[http://forums.crosswalk.com/m_4252083/mpage_1/tm.htm Faithwriters]</td>
   <td>[http://downloads.skullsecurity.org/passwords/faithwriters.txt.bz2 faithwriters.txt.bz2] (39,327 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/faithwriters.txt.bz2 faithwriters.txt.bz2] (39,327 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/faithwriters.txt faithwriters.txt] (72,695 bytes)</td>
   <td>n/a</td>
  <td rowspan='2'>2009-03</td>
   <td rowspan='2'>Religious passwords</td>
   <td rowspan='2'>Religious passwords</td>
  </tr>
  </tr>
Line 119: Line 129:
   <td>Faithwriters - with count</td>
   <td>Faithwriters - with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/faithwriters-withcount.txt.bz2 faithwriters-withcount.txt.bz2] (40,233 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/faithwriters-withcount.txt.bz2 faithwriters-withcount.txt.bz2] (40,233 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/faithwriters-withcount.txt faithwriters-withcount.txt] (139,480 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>


Line 125: Line 135:
   <td>Elitehacker</td>
   <td>Elitehacker</td>
   <td>[http://downloads.skullsecurity.org/passwords/elitehacker.txt.bz2 elitehacker.txt.bz2] (3,690 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/elitehacker.txt.bz2 elitehacker.txt.bz2] (3,690 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/elitehacker.txt elitehacker.txt] (6,516 bytes)</td>
   <td>n/a</td>
  <td rowspan='2'>2009-07</td>
   <td rowspan='2'>Part of zf05.txt</td>
   <td rowspan='2'>Part of zf05.txt</td>
  </tr>
  </tr>
Line 131: Line 142:
   <td>Elitehacker - with count</td>
   <td>Elitehacker - with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/elitehacker-withcount.txt.bz2 elitehacker-withcount.txt.bz2] (3,846 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/elitehacker-withcount.txt.bz2 elitehacker-withcount.txt.bz2] (3,846 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/elitehacker-withcount.txt elitehacker-withcount.txt] (13,676 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>


Line 137: Line 148:
   <td>Hak5</td>
   <td>Hak5</td>
   <td>[http://downloads.skullsecurity.org/passwords/hak5.txt.bz2 hak5.txt.bz2] (16,490 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hak5.txt.bz2 hak5.txt.bz2] (16,490 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hak5.txt hak5.txt] (24,714 bytes)</td>
   <td>n/a</td>
  <td rowspan='2'>2009-07</td>
   <td rowspan='2'>Part of zf05.txt</td>
   <td rowspan='2'>Part of zf05.txt</td>
  </tr>
  </tr>
Line 143: Line 155:
   <td>Hak5 - with count</td>
   <td>Hak5 - with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/hak5-withcount.txt.bz2 hak5-withcount.txt.bz2] (16,947 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hak5-withcount.txt.bz2 hak5-withcount.txt.bz2] (16,947 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hak5-withcount.txt hak5-withcount.txt] (43,522 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>


  <tr>
  <tr>
   <td>[http://www.f-secure.com/weblog/archives/00001915.html Alysaa]</td>
   <td>[http://www.f-secure.com/weblog/archives/00001915.html Älypää]</td>
   <td>[http://downloads.skullsecurity.org/passwords/alysaa.txt.bz2 alysaa.txt.bz2] (5,178 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/alypaa.txt.bz2 alypaa.txt.bz2] (5,178 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/alysaa.txt alysaa.txt] (11,634 bytes)</td>
   <td>n/a</td>
  <td rowspan='2'>2010-03</td>
   <td rowspan='2'>Finnish passwords</td>
   <td rowspan='2'>Finnish passwords</td>
  </tr>
  </tr>
  <tr>
  <tr>
   <td>[http://www.f-secure.com/weblog/archives/00001915.html Alysaa] - with count</td>
   <td>[http://www.f-secure.com/weblog/archives/00001915.html alypaa] - with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/alysaa-withcount.txt.bz2 alysaa-withcount.txt.bz2] (6,013 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/alypaa-withcount.txt.bz2 alypaa-withcount.txt.bz2] (6,013 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/alysaa-withcount.txt alysaa-withcount.txt] (22,706 bytes)</td>
   <td>n/a</td>
  </tr>
  </tr>


  <tr>
  <tr>
   <td>[http://twitter.com/FSLabsAdvisor/status/12585285761 Facebook from Pastebay]</td>
   <td>[http://twitter.com/FSLabsAdvisor/status/12585285761 Facebook (Pastebay)]</td>
   <td>[http://downloads.skullsecurity.org/passwords/facebook-pastebay.txt.bz2 facebook-pastebay.txt.bz2] (375 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/facebook-pastebay.txt.bz2 facebook-pastebay.txt.bz2] (375 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/facebook-pastebay.txt facebook-pastebay.txt] (500 bytes)</td>
   <td>n/a</td>
   <td rowspan='2'>Found on Pastebay; appear to be malware-stolen.</td>
  <td rowspan='2'>2010-04</td>
   <td rowspan='2'>Found on Pastebay;<br>appear to be malware-stolen.</td>
</tr>
</tr>
<tr>
<tr>
   <td>[http://twitter.com/FSLabsAdvisor/status/12585285761 Facebook from Pastebay] - with count</td>
   <td>[http://twitter.com/FSLabsAdvisor/status/12585285761 Facebook (Pastebay)] - w/ count</td>
   <td>[http://downloads.skullsecurity.org/passwords/facebook-pastebay-withcount.txt.bz2 facebook-pastebay-withcount.txt.bz2] (407 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/facebook-pastebay-withcount.txt.bz2 facebook-pastebay-withcount.txt.bz2] (407 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/facebook-pastebay-withcount.txt facebook-pastebay-withcount.txt] (940 bytes)</td>
  <td>n/a</td>
</tr>
 
<tr>
  <td>Unknown porn site</td>
  <td>[http://downloads.skullsecurity.org/passwords/porn-unknown.txt.bz2 porn-unknown.txt.bz2] (30,600 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>Found on angelfire.com. No clue where they originated, but clearly porn site.</td>
</tr>
<tr>
  <td>Unknown porn site - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/porn-unknown-withcount.txt.bz2 porn-unknown-withcount.txt.bz2] (31,899 bytes)</td>
  <td>n/a</td>
</tr>
 
<tr>
  <td>[http://sla.ckers.org/forum/read.php?3,35591 Ultimate Strip Club List]</td>
  <td>[http://downloads.skullsecurity.org/passwords/tuscl.txt.bz2 tuscl.txt.bz2] (176,291 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-09</td>
  <td rowspan='2'>Thanks to Mark Baggett for finding!</td>
</tr>
<tr>
  <td>Ultimate Strip Club List - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/tuscl-withcount.txt.bz2 tuscl-withcount.txt.bz2] (182,441 bytes)</td>
  <td>n/a</td>
</tr>
 
<tr>
  <td>[Facebook Phished]</td>
   <td>[http://downloads.skullsecurity.org/passwords/facebook-phished.txt.bz2 facebook-phished.txt.bz2] (14,457 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-09</td>
  <td rowspan='2'>Thanks to Andrew Orr for reporting</td>
</tr>
<tr>
  <td>Facebook Phished - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-phished-withcount.txt.bz2 facebook-phished-withcount.txt.bz2] (14,941 bytes)</td>
  <td>n/a</td>
</tr>
 
<tr>
  <td>Carders.cc</td>
  <td>[http://downloads.skullsecurity.org/passwords/carders.cc.txt.bz2 carders.cc.txt.bz2] (8,936 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-05</td>
  <td rowspan='2'></td>
</tr>
<tr>
  <td>Carders.cc - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/carders.cc-withcount.txt.bz2 carders.cc-withcount.txt.bz2] (9,774 bytes)</td>
  <td>n/a</td>
</tr>
</tr>
</table>


===Coverage (Rockyou)===
<tr>
I did some calculations and determined how many passwords you'd need, on average, to crack which percentage of users' passwords, based on the leaked passwords from Rockyou.com. These lists will crack the advertised amount on an average cross-section of people if no password restrictions are in place:
  <td>Singles.org</td>
  <td>[http://downloads.skullsecurity.org/passwords/singles.org.txt.bz2 singles.org.txt.bz2] (50,697 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-10</td>
  <td rowspan='2'></td>
</tr>
<tr>
  <td>Singles.org - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/singles.org-withcount.txt.bz2 singles.org-withcount.txt.bz2] (52,884 bytes)</td>
  <td>n/a</td>
</tr>


<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
  <tr>
  <tr>
   <td width='150'><strong>Passwords</strong></td>
   <td>Unnamed financial site</td>
   <td width='150'><strong>Coverage</strong></td>
  <td>(reserved)</td>
   <td width='250'><strong>Download</strong></td>
  <td>(reserved)</td>
</tr>
   <td rowspan='2'>2010-12</td>
<tr><td>13</td><td>4.99%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-5.txt rockyou-5.txt] (104 bytes)</td></tr>
   <td rowspan='2'></td>
<tr><td>92</td><td>10.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-10.txt rockyou-10.txt] (723 bytes)</td></tr>
</tr>
<tr><td>249</td><td>15.01%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-15.txt rockyou-15.txt] (1,943 bytes)</td></tr>
<tr>
<tr><td>512</td><td>20.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-20.txt rockyou-20.txt] (3,998 bytes)</td></tr>
  <td>Unnamed financial site - w/ count</td>
<tr><td>929</td><td>25.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-25.txt rockyou-25.txt] (7,229 bytes)</td></tr>
  <td>(reserved)</td>
<tr><td>1556</td><td>30.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-30.txt rockyou-30.txt] (12,160 bytes)</td></tr>
  <td>(reserved)</td>
<tr><td>2506</td><td>35.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-35.txt rockyou-35.txt] (19,648 bytes)</td></tr>
</tr>
<tr><td>3957</td><td>40.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-40.txt rockyou-40.txt] (31,220 bytes)</td></tr>
 
<tr><td>6164</td><td>45.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-45.txt rockyou-45.txt] (49,133 bytes)</td></tr>
<tr>
<tr><td>9438</td><td>50.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-50.txt rockyou-50.txt] (75,912 bytes)</td></tr>
  <td>Gawker</td>
<tr><td>14236</td><td>55.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-55.txt rockyou-55.txt] (115,186 bytes)</td></tr>
  <td>(reserved)</td>
<tr><td>21041</td><td>60.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-60.txt rockyou-60.txt] (170,244 bytes)</td></tr>
  <td>(reserved)</td>
<tr><td>30290</td><td>65.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-65.txt rockyou-65.txt] (244,535 bytes)</td></tr>
  <td rowspan='2'>2010-12</td>
<tr><td>42661</td><td>70.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-70.txt rockyou-70.txt] (344,231 bytes)</td></tr>
  <td rowspan='2'></td>
<tr><td>59187</td><td>75.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-75.txt rockyou-75.txt] (478,948 bytes)</td></tr></table>
</tr>
<tr>
  <td>Gawker - w/ count</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
</tr>
 
<tr>
  <td>Free-Hack.com</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
  <td rowspan='2'>2010-12</td>
  <td rowspan='2'></td>
</tr>
<tr>
  <td>Free-Hack.com w/count</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
</tr>
 
<tr>
  <td>Carders.cc (second time hacked)</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
  <td rowspan='2'>2010-12</td>
  <td rowspan='2'></td>
</tr>
<tr>
  <td>Carders.cc w/count (second time hacked)</td>
  <td>(reserved)</td>
  <td>(reserved)</td>
</tr>
 
</table>


===Statistics===
===Statistics===
Line 220: Line 327:
  <tr>
  <tr>
   <td>English</td>
   <td>English</td>
   <td>[http://downloads.skullsecurity.org/passwords/english.txt.bz2 english.txt.bz2] (1,063,071 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/english.txt.bz2 english.txt.bz2] (1,368,101 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/english.txt english.txt] (3,144,506 bytes)</td>
   <td>n/a</td>
   <td>My combination of a couple lists, one from Andrew Orr</td>
   <td>My combination of a couple lists, from [https://twitter.com/xorrbit Andrew Orr], Brandon Enright, and [http://xd-blog.com.ar/ Seth]</td>
  </tr>
  </tr>


  <tr>
  <tr>
   <td>German</td>
   <td>German</td>
   <td>[http://downloads.skullsecurity.org/passwords/german.txt.bz2 german.txt.bz2] (2,121,045 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/german.txt.bz2 german.txt.bz2] (2,371,487 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/german.txt german.txt] (6,736,833 bytes)</td>
   <td>n/a</td>
   <td>See header for credit info</td>
   <td>Compiled by Brandon Enright</td>
  </tr>
  </tr>
   
   
Line 235: Line 342:
   <td>[http://ha.ckers.org/blog/20090417/us-cities-dictionary/ American cities]</td>
   <td>[http://ha.ckers.org/blog/20090417/us-cities-dictionary/ American cities]</td>
   <td>[http://downloads.skullsecurity.org/passwords/us_cities.txt.bz2 us_cities.txt.bz2] (77,081 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/us_cities.txt.bz2 us_cities.txt.bz2] (77,081 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/us_cities.txt us_cities.txt] (207,041 bytes)</td>
   <td>n/a</td>
   <td>Generated by RSnake</td>
   <td>Generated by RSnake</td>
  </tr>
  </tr>
Line 242: Line 349:
   <td>"Porno"</td>
   <td>"Porno"</td>
   <td>[http://downloads.skullsecurity.org/passwords/porno.txt.bz2 porno.txt.bz2] (7,158,285 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/porno.txt.bz2 porno.txt.bz2] (7,158,285 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/porno.txt porno.txt] (46,955,376 bytes)</td>
   <td>n/a</td>
   <td>World's largest porno password collection!</td>
   <td>World's largest porno password collection!<br>Created by [http://reusablesec.blogspot.com/ Matt Weir]
  </tr>  
  </tr>  
<tr>
  <td>Honeynet</td>
  <td>[http://downloads.skullsecurity.org/passwords/honeynet.txt.bz2 honeynet.txt.bz2] (889,525 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>From a honeynet run by [http://twitter.com/jgimer Joshua Gimer]</td>
</tr>
<tr>
  <td>Honeynet - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/honeynet-withcount.txt.bz2 honeynet-withcount.txt.bz2] (901,868 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>File locations</td>
  <td>[http://downloads.skullsecurity.org/passwords/file-locations.txt.bz2 file-locations.txt.bz2] (1,724 bytes)</td>
  <td>n/a</td>
  <td>Potential logfile locations (for LFI, etc).<br>Thanks to [http://xd-blog.com.ar/ Seth]!</td>
</tr>
<tr>
  <td>Fuzzing strings (Python)</td>
  <td>[http://downloads.skullsecurity.org/passwords/fuzzing-strings.txt.bz2 fuzzing-strings.txt.bz2] (276 bytes)</td>
  <td>n/a</td>
  <td>Thanks to [http://xd-blog.com.ar/ Seth]!</td>
</tr>
<tr>
  <td>PHPMyAdmin locations</td>
  <td>[http://downloads.skullsecurity.org/passwords/phpmyadmin-locations.txt.bz2 phpmyadmin-locations.txt.bz2] (304 bytes)</td>
  <td>n/a</td>
  <td>Potential PHPMyAdmin locations.<br>Thanks to [http://xd-blog.com.ar/ Seth]!</td>
</tr>
<tr>
  <td>Web extensions</td>
  <td>[http://downloads.skullsecurity.org/passwords/web-extensions.txt.bz2 web-extensions.txt.bz2] (117 bytes)</td>
  <td>n/a</td>
  <td>Common extensions for Web files.<br>Thanks to [http://www.open-labs.org/ dirb]!</td>
</tr>
<tr>
  <td>Web mutations</td>
  <td>[http://downloads.skullsecurity.org/passwords/web-mutations.txt.bz2 web-mutations.txt.bz2] (177 bytes)</td>
  <td>n/a</td>
  <td>Common 'mutations' for Web files.<br>Thanks to [http://www.open-labs.org/ dirb]!</td>
</tr>
</table>
[http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project#tab=Download DirBuster] has some awesome lists, too -- usernames and filenames.
===Facebook lists===
These are the lists I generated from [http://www.skullsecurity.org/blog/?p=887 this data]. Some are more useful than others as password lists. All lists are sorted by commonness.
If you want a bunch of these, I highly recommend using [http://www.skullsecurity.org/blogdata/fbdata.torrent the torrent]. It's faster, and you'll get them all at once.
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
<tr>
  <td width='180'><strong>Name</strong></td>
  <td width='320'><strong>Compressed</strong></td>
  <td width='320'><strong>Uncompressed</strong></td>
  <td width='50'><strong>Date</strong></td>
  <td><strong>Notes</strong></td>
</tr>
<tr>
  <td>Full names</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-names-unique.txt.bz2 facebook-names-unique.txt.bz2] (479,332,623 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>Full names - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-names-withcount.txt.bz2 facebook-names-withcount.txt.bz2] (477,274,173 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>First names</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-firstnames.txt.bz2 facebook-firstnames.txt.bz2] (16,464,124 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>First names - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-firstnames-withcount.txt.bz2 facebook-firstnames-withcount.txt.bz2] (73,134,218 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>Last names</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-lastnames.txt.bz2 facebook-lastnames.txt.bz2] (21,176,444 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>Last names - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-lastnames-withcount.txt.bz2 facebook-lastnames-withcount.txt.bz2] (21,166,232 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>First initial last names</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-f.last.txt.bz2 facebook-f.last.txt.bz2] (67,110,776 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>First initial last names - w/ count</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-f.last-withcount.txt.bz2 facebook-f.last-withcount.txt.bz2] (66,348,431 bytes)</td>
  <td>n/a</td>
</tr>
<tr>
  <td>First name last initial</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-first.l.txt.bz2 facebook-first.l.txt.bz2] (37,463,798 bytes)</td>
  <td>n/a</td>
  <td rowspan='2'>2010-08</td>
  <td rowspan='2'>&nbsp;</td>
</tr>
<tr>
  <td>First name last initial</td>
  <td>[http://downloads.skullsecurity.org/passwords/facebook-first.l-withcount.txt.bz2 facebook-first.l-withcount.txt.bz2] (36,932,295 bytes)</td>
  <td>n/a</td>
</tr>
</table>
</table>

Latest revision as of 23:53, 18 May 2015

HEY EVERYBODY! If you like this page, please consider supporting me on Patreon!


Password dictionaries

These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.

Name Compressed Uncompressed Notes
John the Ripper john.txt.bz2 (10,934 bytes) n/a Simple, extremely good, designed to be modified
Cain & Abel cain.txt.bz2 (1,069,968 bytes) n/a Fairly comprehensive, not ordered
Conficker worm conficker.txt.bz2 (1411 bytes) n/a Used by conficker worm to spread -- low quality
500 worst passwords 500-worst-passwords.txt.bz2 (1868 bytes) n/a
370 Banned Twitter passwords twitter-banned.txt.bz2 (1509 bytes) n/a

Leaked passwords

Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.

The best use of these is to generate or test password lists.

Note: The dates are approximate.

Name Compressed Uncompressed Date Notes
Rockyou rockyou.txt.bz2 (60,498,886 bytes) n/a 2009-12 Best list available; huge, stolen unencrypted
Rockyou with count rockyou-withcount.txt.bz2 (59,500,255 bytes) n/a
phpbb phpbb.txt.bz2 (868,606 bytes) n/a 2009-01 Ordered by commonness
Cracked from md5 by Brandon Enright
(97%+ coverage)
phpbb with count phpbb-withcount.txt.bz2 (872,867 bytes) n/a
phpbb with md5 phpbb-withmd5.txt.bz2 (4,117,887 bytes) n/a
MySpace myspace.txt.bz2 (175,970 bytes) n/a 2006-10 Captured via phishing
MySpace - with count myspace-withcount.txt.bz2 (179,929 bytes) n/a
Hotmail hotmail.txt.bz2 (47,195 bytes) n/a Unknown Isn't clearly understood how these were stolen
Hotmail with count hotmail-withcount.txt.bz2 (47,975 bytes) n/a
Faithwriters faithwriters.txt.bz2 (39,327 bytes) n/a 2009-03 Religious passwords
Faithwriters - with count faithwriters-withcount.txt.bz2 (40,233 bytes) n/a
Elitehacker elitehacker.txt.bz2 (3,690 bytes) n/a 2009-07 Part of zf05.txt
Elitehacker - with count elitehacker-withcount.txt.bz2 (3,846 bytes) n/a
Hak5 hak5.txt.bz2 (16,490 bytes) n/a 2009-07 Part of zf05.txt
Hak5 - with count hak5-withcount.txt.bz2 (16,947 bytes) n/a
Älypää alypaa.txt.bz2 (5,178 bytes) n/a 2010-03 Finnish passwords
alypaa - with count alypaa-withcount.txt.bz2 (6,013 bytes) n/a
Facebook (Pastebay) facebook-pastebay.txt.bz2 (375 bytes) n/a 2010-04 Found on Pastebay;
appear to be malware-stolen.
Facebook (Pastebay) - w/ count facebook-pastebay-withcount.txt.bz2 (407 bytes) n/a
Unknown porn site porn-unknown.txt.bz2 (30,600 bytes) n/a 2010-08 Found on angelfire.com. No clue where they originated, but clearly porn site.
Unknown porn site - w/ count porn-unknown-withcount.txt.bz2 (31,899 bytes) n/a
Ultimate Strip Club List tuscl.txt.bz2 (176,291 bytes) n/a 2010-09 Thanks to Mark Baggett for finding!
Ultimate Strip Club List - w/ count tuscl-withcount.txt.bz2 (182,441 bytes) n/a
[Facebook Phished] facebook-phished.txt.bz2 (14,457 bytes) n/a 2010-09 Thanks to Andrew Orr for reporting
Facebook Phished - w/ count facebook-phished-withcount.txt.bz2 (14,941 bytes) n/a
Carders.cc carders.cc.txt.bz2 (8,936 bytes) n/a 2010-05
Carders.cc - w/ count carders.cc-withcount.txt.bz2 (9,774 bytes) n/a
Singles.org singles.org.txt.bz2 (50,697 bytes) n/a 2010-10
Singles.org - w/ count singles.org-withcount.txt.bz2 (52,884 bytes) n/a
Unnamed financial site (reserved) (reserved) 2010-12
Unnamed financial site - w/ count (reserved) (reserved)
Gawker (reserved) (reserved) 2010-12
Gawker - w/ count (reserved) (reserved)
Free-Hack.com (reserved) (reserved) 2010-12
Free-Hack.com w/count (reserved) (reserved)
Carders.cc (second time hacked) (reserved) (reserved) 2010-12
Carders.cc w/count (second time hacked) (reserved) (reserved)

Statistics

I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:

Miscellaneous non-hacking dictionaries

These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.

Name Compressed Uncompressed Notes
English english.txt.bz2 (1,368,101 bytes) n/a My combination of a couple lists, from Andrew Orr, Brandon Enright, and Seth
German german.txt.bz2 (2,371,487 bytes) n/a Compiled by Brandon Enright
American cities us_cities.txt.bz2 (77,081 bytes) n/a Generated by RSnake
"Porno" porno.txt.bz2 (7,158,285 bytes) n/a World's largest porno password collection!
Created by Matt Weir
Honeynet honeynet.txt.bz2 (889,525 bytes) n/a From a honeynet run by Joshua Gimer
Honeynet - w/ count honeynet-withcount.txt.bz2 (901,868 bytes) n/a
File locations file-locations.txt.bz2 (1,724 bytes) n/a Potential logfile locations (for LFI, etc).
Thanks to Seth!
Fuzzing strings (Python) fuzzing-strings.txt.bz2 (276 bytes) n/a Thanks to Seth!
PHPMyAdmin locations phpmyadmin-locations.txt.bz2 (304 bytes) n/a Potential PHPMyAdmin locations.
Thanks to Seth!
Web extensions web-extensions.txt.bz2 (117 bytes) n/a Common extensions for Web files.
Thanks to dirb!
Web mutations web-mutations.txt.bz2 (177 bytes) n/a Common 'mutations' for Web files.
Thanks to dirb!

DirBuster has some awesome lists, too -- usernames and filenames.

Facebook lists

These are the lists I generated from this data. Some are more useful than others as password lists. All lists are sorted by commonness.

If you want a bunch of these, I highly recommend using the torrent. It's faster, and you'll get them all at once.

Name Compressed Uncompressed Date Notes
Full names facebook-names-unique.txt.bz2 (479,332,623 bytes) n/a 2010-08  
Full names - w/ count facebook-names-withcount.txt.bz2 (477,274,173 bytes) n/a
First names facebook-firstnames.txt.bz2 (16,464,124 bytes) n/a 2010-08  
First names - w/ count facebook-firstnames-withcount.txt.bz2 (73,134,218 bytes) n/a
Last names facebook-lastnames.txt.bz2 (21,176,444 bytes) n/a 2010-08  
Last names - w/ count facebook-lastnames-withcount.txt.bz2 (21,166,232 bytes) n/a
First initial last names facebook-f.last.txt.bz2 (67,110,776 bytes) n/a 2010-08  
First initial last names - w/ count facebook-f.last-withcount.txt.bz2 (66,348,431 bytes) n/a
First name last initial facebook-first.l.txt.bz2 (37,463,798 bytes) n/a 2010-08  
First name last initial facebook-first.l-withcount.txt.bz2 (36,932,295 bytes) n/a