Difference between revisions of "Passwords"

From SkullSecurity
Jump to navigation Jump to search
Line 2: Line 2:
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.


<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0;'>
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
  <tr>
  <tr>
   <td width='150'><strong>Name</strong></td>
   <td width='150'><strong>Name</strong></td>
Line 11: Line 11:


  <tr>
  <tr>
   <td>[http://www.oxid.it/cain.html Cain & Able]</td>
   <td>[http://www.openwall.com/john/ John the Ripper]</td>
   <td>[http://downloads.skullsecurity.org/passwords/List-cain.txt.bz2 List-cain.txt.bz2] (1,069,968 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/john.txt.bz2 john.txt.bz2] (10,934 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/List-cain.txt List-cain.txt] (3,149,586 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/john.txt john.txt] (21,935 bytes)</td>
   <td>Fairly comprehensive</td>
   <td>Simple, extremely good, designed to be modified</td>
  </tr>
  </tr>
 
 
  <tr>
  <tr>
   <td>[http://www.openwall.com/john/ John the Ripper]</td>
   <td>[http://www.oxid.it/cain.html Cain & Able]</td>
   <td>[http://downloads.skullsecurity.org/passwords/List-john.txt.bz2 List-john.txt.bz2] (10,934 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/cain.txt.bz2 cain.txt.bz2] (1,069,968 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/List-john.txt List-john.txt] (21,935 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/cain.txt cain.txt] (3,149,586 bytes)</td>
   <td>Simple, designed to be modified</td>
   <td>Fairly comprehensive, not ordered</td>
  </tr>
  </tr>
   
   
  <tr>
  <tr>
   <td>Conficker worm</td>
   <td>Conficker worm</td>
   <td>[http://downloads.skullsecurity.org/passwords/Connficker.txt.bz2 Conficker.txt.bz2] (1411 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/conficker.txt.bz2 conficker.txt.bz2] (1411 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/Connficker.txt Conficker.txt] (702 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/conficker.txt conficker.txt] (702 bytes)</td>
   <td>Used by conficker worm to spread</td>
   <td>Used by conficker worm to spread -- low quality</td>
  </tr>
  </tr>
   
   
Line 35: Line 35:
   <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 500-worst-passwords.txt.bz2] (1868 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 500-worst-passwords.txt.bz2] (1868 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt 500-worst-passwords.txt] (3493 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt 500-worst-passwords.txt] (3493 bytes)</td>
</tr>
<tr>
  <td>[http://techcrunch.com/2009/12/27/twitter-banned-passwords/ 370 Banned Twitter passwords]</td>
  <td>[http://downloads.skullsecurity.org/passwords/twitter-banned.txt.bz2 twitter-banned.txt.bz2] (1509 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/twitter-banned.txt twitter-banned.txt] (2780 bytes)</td>
  </tr>
  </tr>
</table>
</table>




==Leaked passwords==
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.


==Leaked passwords==
The best use of these is to generate or test password lists.  
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does. Naturally, I'm not the one who stole these.  
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0;'>
  <tr>
  <tr>
   <td width='150'><strong>Name</strong></td>
   <td width='150'><strong>Name</strong></td>
Line 51: Line 58:


  <tr>
  <tr>
   <td>MySpace</td>
   <td>Rockyou</td>
   <td>[http://downloads.skullsecurity.org/passwords/List-myspace.txt.bz2 List-myspace.txt.bz2] (175,970 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 rockyou.txt.bz2] (60,498,886 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/List-myspace.txt List-myspace.txt] (356,352 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt rockyou.txt] (139,921,497 bytes)</td>
   <td rowspan='2'>Ordered by commonness<br>Captured via phishing; not representative</td>
   <td rowspan='2'>Best list available; huge, stolen unencrypted</td>
  </tr>
  </tr>
  <tr>
  <tr>
   <td>MySpace - with count</td>
   <td>Rockyou with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/Myspace-counts.txt.bz2 Myspace-counts.txt.bz2] (179,929 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2 rockyou-withcount.txt.bz2] (59,500,255 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/Myspace-counts.txt Myspace-counts.txt] (653,504 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt rockyou-withcount.txt] (254,676,625 bytes)</td>
  </tr>
  </tr>
 
  <tr>
  <tr>
   <td>phpbb</td>
   <td>phpbb</td>
Line 79: Line 86:
  </tr>
  </tr>


<tr>
  <td>MySpace</td>
  <td>[http://downloads.skullsecurity.org/passwords/myspace.txt.bz2 myspace.txt.bz2] (175,970 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/myspace.txt myspace.txt] (356,352 bytes)</td>
  <td rowspan='2'>Captured via phishing</td>
</tr>
<tr>
  <td>MySpace - with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/myspace-withcount.txt.bz2 myspace-withcount.txt.bz2] (179,929 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/myspace-withcount.txt myspace-withcount.txt] (653,504 bytes)</td>
</tr>
<tr>
  <td>Hotmail</td>
  <td>[http://downloads.skullsecurity.org/passwords/hotmail.txt.bz2 hotmail.txt.bz2] (47,195 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/hotmail.txt hotmail.txt] (87,383 bytes)</td>
  <td rowspan='2'>Isn't clearly understood how these were stolen</td>
</tr>
<tr>
  <td>Hotmail with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/hotmail-withcount.txt.bz2 hotmail-withcount.txt.bz2] (47,975 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/hotmail-withcount.txt hotmail-withcount.txt] (158,831 bytes)</td>
</tr>
   
   
  <tr>
  <tr>
   <td>Rockyou - original</td>
   <td>Faithwriters</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 rockyou.txt.bz2] (139,943,478 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/faithwriters.txt.bz2 faithwriters.txt.bz2] (39,327 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt rockyou.txt] (289,836,298 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/faithwriters.txt faithwriters.txt] (72,695 bytes)</td>
   <td rowspan='3'>Stolen as-is<br>Thanks to Mark Baggett<br>for the tip!</td>
   <td rowspan='2'>Religious passwords</td>
</tr>
<tr>
  <td>Faithwriters - with count</td>
  <td>[http://downloads.skullsecurity.org/passwords/faithwriters-withcount.txt.bz2 faithwriters-withcount.txt.bz2] (40,233 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/faithwriters-withcount.txt faithwriters-withcount.txt] (139,480 bytes)</td>
</tr>
 
<tr>
  <td>Elitehacker</td>
  <td>[http://downloads.skullsecurity.org/passwords/elitehacker.txt.bz2 elitehacker.txt.bz2] (3,690 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/elitehacker.txt elitehacker.txt] (6,516 bytes)</td>
  <td rowspan='2'>Part of zf05.txt</td>
  </tr>
  </tr>
  <tr>
  <tr>
   <td>Rockyou - by count</td>
   <td>Elitehacker - with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-bycount.txt.bz2 rockyou-bycount.txt.bz2] (60,498,886 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/elitehacker-withcount.txt.bz2 elitehacker-withcount.txt.bz2] (3,846 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-bycount.txt rockyou-bycount.txt] (139,921,497 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/elitehacker-withcount.txt elitehacker-withcount.txt] (13,676 bytes)</td>
  </tr>
  </tr>
  <tr>
  <tr>
   <td>Rockyou - with count</td>
   <td>Hak5</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-bycount.txt.bz2 rockyou-withcount.txt.bz2] (59,500,255 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/hak5.txt.bz2 hak5.txt.bz2] (16,490 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/rockyou-bycount.txt rockyou-withcount.txt] (254,676,625 bytes)</td>
  <td>[http://downloads.skullsecurity.org/passwords/hak5.txt hak5.txt] (24,714 bytes)</td>
  <td rowspan='2'>Part of zf05.txt</td>
</tr>
<tr>
  <td>Hak5 - with count</td>
   <td>[http://downloads.skullsecurity.org/passwords/hak5-withcount.txt.bz2 hak5-withcount.txt.bz2] (16,947 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/hak5-withcount.txt hak5-withcount.txt] (43,522 bytes)</td>
  </tr>
  </tr>
</table>
</table>


===Coverage===
===Coverage (Rockyou)===
I did some calculations and determined how many passwords you'd need, on average, to crack which percentage of users' passwords, based on the leaked passwords from Rockyou.com. These lists will crack the advertised amount on an average cross-section of people if no password restrictions are in place:
I did some calculations and determined how many passwords you'd need, on average, to crack which percentage of users' passwords, based on the leaked passwords from Rockyou.com. These lists will crack the advertised amount on an average cross-section of people if no password restrictions are in place:


<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0;'>
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
  <tr>
  <tr>
   <td width='150'><strong>Passwords</strong></td>
   <td width='150'><strong>Passwords</strong></td>
Line 123: Line 172:
<tr><td>59187</td><td>75.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-75.txt rockyou-75.txt] (478,948 bytes)</td></tr></table>
<tr><td>59187</td><td>75.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-75.txt rockyou-75.txt] (478,948 bytes)</td></tr></table>


==Dictionaries, etc.==
===Statistics===
I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:
* [http://www.skullsecurity.org/blogdata/cracked_500worst.png cracked_500worst.png]
* [http://www.skullsecurity.org/blogdata/cracked_elitehackers.png cracked_elitehackers.png]
* [http://www.skullsecurity.org/blogdata/cracked_faithwriters.png cracked_faithwriters.png]
* [http://www.skullsecurity.org/blogdata/cracked_hak5.png cracked_hak5.png]
* [http://www.skullsecurity.org/blogdata/cracked_hotmail.png cracked_hotmail.png]
* [http://www.skullsecurity.org/blogdata/cracked_myspace.png cracked_myspace.png]
* [http://www.skullsecurity.org/blogdata/cracked_phpbb.png cracked_phpbb.png]
* [http://www.skullsecurity.org/blogdata/cracked_rockyou.png cracked_rockyou.png]
 
 
==Miscellaneous non-hacking dictionaries==
These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.  
These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.  


<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0;'>
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'>
  <tr>
  <tr>
   <td width='120'><strong>Name</strong></td>
   <td width='120'><strong>Name</strong></td>
Line 136: Line 197:
  <tr>
  <tr>
   <td>English</td>
   <td>English</td>
   <td>[http://downloads.skullsecurity.org/passwords/English.txt.bz2 English.txt.bz2] (349,604 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/english.txt.bz2 english.txt.bz2] (1,063,071 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/English.txt English.txt] (1,055,781)</td>
   <td>[http://downloads.skullsecurity.org/passwords/english.txt english.txt] (3,144,506 bytes)</td>
  <td>I forget where this came from</td>
   <td>My combination of a couple lists, one from Andrew Orr</td>
</tr>
<tr>
  <td>English (2)</td>
  <td>[http://downloads.skullsecurity.org/passwords/English2.txt.bz2 English2.txt.bz2] (975,280 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/English2.txt English2.txt] (2,828,046)</td>
  <td>Found by Andrew Orr</td>
  </tr>
  </tr>


  <tr>
  <tr>
   <td>German</td>
   <td>German</td>
   <td>[http://downloads.skullsecurity.org/passwords/German_list.txt.bz2 German_list.txt.bz2] (2,121,045 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/german.txt.bz2 german.txt.bz2] (2,121,045 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/German_list.txt German_list.txt] (6,736,833 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/german.txt german.txt] (6,736,833 bytes)</td>
   <td>See header for credit info</td>
   <td>See header for credit info</td>
  </tr>
  </tr>
Line 156: Line 211:
  <tr>
  <tr>
   <td>[http://ha.ckers.org/blog/20090417/us-cities-dictionary/ American cities]</td>
   <td>[http://ha.ckers.org/blog/20090417/us-cities-dictionary/ American cities]</td>
   <td>[http://downloads.skullsecurity.org/passwords/US_Cities.txt.bz2 US_Cities.txt.bz2] (77,081 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/us_cities.txt.bz2 us_cities.txt.bz2] (77,081 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/US_Cities.txt US_Cities.txt] (207,041 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/us_cities.txt us_cities.txt] (207,041 bytes)</td>
   <td>Generated by RSnake</td>
   <td>Generated by RSnake</td>
  </tr>
  </tr>
Line 163: Line 218:
  <tr>
  <tr>
   <td>"Porno"</td>
   <td>"Porno"</td>
   <td>[http://downloads.skullsecurity.org/passwords/porno-passwords.txt.bz2 porno-passwords.txt.bz2] (7,158,285 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/porno.txt.bz2 porno.txt.bz2] (7,158,285 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/porno-passwords.txt porno-passwords.txt] (46,955,376 bytes)</td>
   <td>[http://downloads.skullsecurity.org/passwords/porno.txt porno.txt] (46,955,376 bytes)</td>
   <td>World's largest porno password collection!</td>
   <td>World's largest porno password collection!</td>
  </tr>  
  </tr>  
</table>
</table>

Revision as of 21:56, 6 March 2010

Password dictionaries

These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.

Name Compressed Uncompressed Notes
John the Ripper john.txt.bz2 (10,934 bytes) john.txt (21,935 bytes) Simple, extremely good, designed to be modified
Cain & Able cain.txt.bz2 (1,069,968 bytes) cain.txt (3,149,586 bytes) Fairly comprehensive, not ordered
Conficker worm conficker.txt.bz2 (1411 bytes) conficker.txt (702 bytes) Used by conficker worm to spread -- low quality
500 worst passwords 500-worst-passwords.txt.bz2 (1868 bytes) 500-worst-passwords.txt (3493 bytes)
370 Banned Twitter passwords twitter-banned.txt.bz2 (1509 bytes) twitter-banned.txt (2780 bytes)


Leaked passwords

Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.

The best use of these is to generate or test password lists.

Name Compressed Uncompressed Notes
Rockyou rockyou.txt.bz2 (60,498,886 bytes) rockyou.txt (139,921,497 bytes) Best list available; huge, stolen unencrypted
Rockyou with count rockyou-withcount.txt.bz2 (59,500,255 bytes) rockyou-withcount.txt (254,676,625 bytes)
phpbb phpbb.txt.bz2 (868,606 bytes) phpbb.txt (1,574,395 bytes) Ordered by commonness
Cracked from md5 by Brandon Enright (97%+ coverage)
phpbb with count phpbb-withcount.txt.bz2 (872,867 bytes) phpbb-withcount.txt (3,049,507 bytes)
phpbb with md5 phpbb-withmd5.txt.bz2 (4,117,887 bytes) phpbb-withmd5.txt (7,659,241 bytes)
MySpace myspace.txt.bz2 (175,970 bytes) myspace.txt (356,352 bytes) Captured via phishing
MySpace - with count myspace-withcount.txt.bz2 (179,929 bytes) myspace-withcount.txt (653,504 bytes)
Hotmail hotmail.txt.bz2 (47,195 bytes) hotmail.txt (87,383 bytes) Isn't clearly understood how these were stolen
Hotmail with count hotmail-withcount.txt.bz2 (47,975 bytes) hotmail-withcount.txt (158,831 bytes)
Faithwriters faithwriters.txt.bz2 (39,327 bytes) faithwriters.txt (72,695 bytes) Religious passwords
Faithwriters - with count faithwriters-withcount.txt.bz2 (40,233 bytes) faithwriters-withcount.txt (139,480 bytes)
Elitehacker elitehacker.txt.bz2 (3,690 bytes) elitehacker.txt (6,516 bytes) Part of zf05.txt
Elitehacker - with count elitehacker-withcount.txt.bz2 (3,846 bytes) elitehacker-withcount.txt (13,676 bytes)
Hak5 hak5.txt.bz2 (16,490 bytes) hak5.txt (24,714 bytes) Part of zf05.txt
Hak5 - with count hak5-withcount.txt.bz2 (16,947 bytes) hak5-withcount.txt (43,522 bytes)

Coverage (Rockyou)

I did some calculations and determined how many passwords you'd need, on average, to crack which percentage of users' passwords, based on the leaked passwords from Rockyou.com. These lists will crack the advertised amount on an average cross-section of people if no password restrictions are in place:

Passwords Coverage Download
134.99%rockyou-5.txt (104 bytes)
9210.00%rockyou-10.txt (723 bytes)
24915.01%rockyou-15.txt (1,943 bytes)
51220.00%rockyou-20.txt (3,998 bytes)
92925.00%rockyou-25.txt (7,229 bytes)
155630.00%rockyou-30.txt (12,160 bytes)
250635.00%rockyou-35.txt (19,648 bytes)
395740.00%rockyou-40.txt (31,220 bytes)
616445.00%rockyou-45.txt (49,133 bytes)
943850.00%rockyou-50.txt (75,912 bytes)
1423655.00%rockyou-55.txt (115,186 bytes)
2104160.00%rockyou-60.txt (170,244 bytes)
3029065.00%rockyou-65.txt (244,535 bytes)
4266170.00%rockyou-70.txt (344,231 bytes)
5918775.00%rockyou-75.txt (478,948 bytes)

Statistics

I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:


Miscellaneous non-hacking dictionaries

These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.

Name Compressed Uncompressed Notes
English english.txt.bz2 (1,063,071 bytes) english.txt (3,144,506 bytes) My combination of a couple lists, one from Andrew Orr
German german.txt.bz2 (2,121,045 bytes) german.txt (6,736,833 bytes) See header for credit info
American cities us_cities.txt.bz2 (77,081 bytes) us_cities.txt (207,041 bytes) Generated by RSnake
"Porno" porno.txt.bz2 (7,158,285 bytes) porno.txt (46,955,376 bytes) World's largest porno password collection!
Retrieved from "https://wiki.skullsecurity.org/index.php?title=Passwords&oldid=2946"