Difference between revisions of "Passwords"
Line 2: | Line 2: | ||
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it. | These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it. | ||
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0;'> | <table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'> | ||
<tr> | <tr> | ||
<td width='150'><strong>Name</strong></td> | <td width='150'><strong>Name</strong></td> | ||
Line 11: | Line 11: | ||
<tr> | <tr> | ||
<td>[http://www. | <td>[http://www.openwall.com/john/ John the Ripper]</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/john.txt.bz2 john.txt.bz2] (10,934 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/john.txt john.txt] (21,935 bytes)</td> | ||
<td> | <td>Simple, extremely good, designed to be modified</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>[http://www. | <td>[http://www.oxid.it/cain.html Cain & Able]</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/cain.txt.bz2 cain.txt.bz2] (1,069,968 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/cain.txt cain.txt] (3,149,586 bytes)</td> | ||
<td> | <td>Fairly comprehensive, not ordered</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Conficker worm</td> | <td>Conficker worm</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/conficker.txt.bz2 conficker.txt.bz2] (1411 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/conficker.txt conficker.txt] (702 bytes)</td> | ||
<td>Used by conficker worm to spread</td> | <td>Used by conficker worm to spread -- low quality</td> | ||
</tr> | </tr> | ||
Line 35: | Line 35: | ||
<td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 500-worst-passwords.txt.bz2] (1868 bytes)</td> | <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 500-worst-passwords.txt.bz2] (1868 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt 500-worst-passwords.txt] (3493 bytes)</td> | <td>[http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt 500-worst-passwords.txt] (3493 bytes)</td> | ||
</tr> | |||
<tr> | |||
<td>[http://techcrunch.com/2009/12/27/twitter-banned-passwords/ 370 Banned Twitter passwords]</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/twitter-banned.txt.bz2 twitter-banned.txt.bz2] (1509 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/twitter-banned.txt twitter-banned.txt] (2780 bytes)</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
==Leaked passwords== | |||
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them. | |||
The best use of these is to generate or test password lists. | |||
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'> | |||
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0;'> | |||
<tr> | <tr> | ||
<td width='150'><strong>Name</strong></td> | <td width='150'><strong>Name</strong></td> | ||
Line 51: | Line 58: | ||
<tr> | <tr> | ||
<td> | <td>Rockyou</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 rockyou.txt.bz2] (60,498,886 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/rockyou.txt rockyou.txt] (139,921,497 bytes)</td> | ||
<td rowspan='2'> | <td rowspan='2'>Best list available; huge, stolen unencrypted</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Rockyou with count</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2 rockyou-withcount.txt.bz2] (59,500,255 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt rockyou-withcount.txt] (254,676,625 bytes)</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>phpbb</td> | <td>phpbb</td> | ||
Line 79: | Line 86: | ||
</tr> | </tr> | ||
<tr> | |||
<td>MySpace</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/myspace.txt.bz2 myspace.txt.bz2] (175,970 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/myspace.txt myspace.txt] (356,352 bytes)</td> | |||
<td rowspan='2'>Captured via phishing</td> | |||
</tr> | |||
<tr> | |||
<td>MySpace - with count</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/myspace-withcount.txt.bz2 myspace-withcount.txt.bz2] (179,929 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/myspace-withcount.txt myspace-withcount.txt] (653,504 bytes)</td> | |||
</tr> | |||
<tr> | |||
<td>Hotmail</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/hotmail.txt.bz2 hotmail.txt.bz2] (47,195 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/hotmail.txt hotmail.txt] (87,383 bytes)</td> | |||
<td rowspan='2'>Isn't clearly understood how these were stolen</td> | |||
</tr> | |||
<tr> | |||
<td>Hotmail with count</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/hotmail-withcount.txt.bz2 hotmail-withcount.txt.bz2] (47,975 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/hotmail-withcount.txt hotmail-withcount.txt] (158,831 bytes)</td> | |||
</tr> | |||
<tr> | <tr> | ||
<td> | <td>Faithwriters</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/faithwriters.txt.bz2 faithwriters.txt.bz2] (39,327 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/faithwriters.txt faithwriters.txt] (72,695 bytes)</td> | ||
<td rowspan=' | <td rowspan='2'>Religious passwords</td> | ||
</tr> | |||
<tr> | |||
<td>Faithwriters - with count</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/faithwriters-withcount.txt.bz2 faithwriters-withcount.txt.bz2] (40,233 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/faithwriters-withcount.txt faithwriters-withcount.txt] (139,480 bytes)</td> | |||
</tr> | |||
<tr> | |||
<td>Elitehacker</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/elitehacker.txt.bz2 elitehacker.txt.bz2] (3,690 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/elitehacker.txt elitehacker.txt] (6,516 bytes)</td> | |||
<td rowspan='2'>Part of zf05.txt</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Elitehacker - with count</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/elitehacker-withcount.txt.bz2 elitehacker-withcount.txt.bz2] (3,846 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/elitehacker-withcount.txt elitehacker-withcount.txt] (13,676 bytes)</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Hak5</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/hak5.txt.bz2 hak5.txt.bz2] (16,490 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/hak5.txt hak5.txt] (24,714 bytes)</td> | ||
<td rowspan='2'>Part of zf05.txt</td> | |||
</tr> | |||
<tr> | |||
<td>Hak5 - with count</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/hak5-withcount.txt.bz2 hak5-withcount.txt.bz2] (16,947 bytes)</td> | |||
<td>[http://downloads.skullsecurity.org/passwords/hak5-withcount.txt hak5-withcount.txt] (43,522 bytes)</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
===Coverage=== | ===Coverage (Rockyou)=== | ||
I did some calculations and determined how many passwords you'd need, on average, to crack which percentage of users' passwords, based on the leaked passwords from Rockyou.com. These lists will crack the advertised amount on an average cross-section of people if no password restrictions are in place: | I did some calculations and determined how many passwords you'd need, on average, to crack which percentage of users' passwords, based on the leaked passwords from Rockyou.com. These lists will crack the advertised amount on an average cross-section of people if no password restrictions are in place: | ||
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0;'> | <table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'> | ||
<tr> | <tr> | ||
<td width='150'><strong>Passwords</strong></td> | <td width='150'><strong>Passwords</strong></td> | ||
Line 123: | Line 172: | ||
<tr><td>59187</td><td>75.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-75.txt rockyou-75.txt] (478,948 bytes)</td></tr></table> | <tr><td>59187</td><td>75.00%</td><td>[http://downloads.skullsecurity.org/passwords/rockyou-75.txt rockyou-75.txt] (478,948 bytes)</td></tr></table> | ||
== | ===Statistics=== | ||
I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack: | |||
* [http://www.skullsecurity.org/blogdata/cracked_500worst.png cracked_500worst.png] | |||
* [http://www.skullsecurity.org/blogdata/cracked_elitehackers.png cracked_elitehackers.png] | |||
* [http://www.skullsecurity.org/blogdata/cracked_faithwriters.png cracked_faithwriters.png] | |||
* [http://www.skullsecurity.org/blogdata/cracked_hak5.png cracked_hak5.png] | |||
* [http://www.skullsecurity.org/blogdata/cracked_hotmail.png cracked_hotmail.png] | |||
* [http://www.skullsecurity.org/blogdata/cracked_myspace.png cracked_myspace.png] | |||
* [http://www.skullsecurity.org/blogdata/cracked_phpbb.png cracked_phpbb.png] | |||
* [http://www.skullsecurity.org/blogdata/cracked_rockyou.png cracked_rockyou.png] | |||
==Miscellaneous non-hacking dictionaries== | |||
These are dictionaries of words (etc), not passwords. They may be useful for one reason or another. | These are dictionaries of words (etc), not passwords. They may be useful for one reason or another. | ||
<table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0;'> | <table style='border-width: 1px; border-spacing: 2px; border-color: gray; border-style: outset; border-collapse: separate; color: #c0c0c0; font-size: 8pt;'> | ||
<tr> | <tr> | ||
<td width='120'><strong>Name</strong></td> | <td width='120'><strong>Name</strong></td> | ||
Line 136: | Line 197: | ||
<tr> | <tr> | ||
<td>English</td> | <td>English</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/english.txt.bz2 english.txt.bz2] (1,063,071 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/english.txt english.txt] (3,144,506 bytes)</td> | ||
<td>My combination of a couple lists, one from Andrew Orr</td> | |||
<td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>German</td> | <td>German</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/german.txt.bz2 german.txt.bz2] (2,121,045 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/german.txt german.txt] (6,736,833 bytes)</td> | ||
<td>See header for credit info</td> | <td>See header for credit info</td> | ||
</tr> | </tr> | ||
Line 156: | Line 211: | ||
<tr> | <tr> | ||
<td>[http://ha.ckers.org/blog/20090417/us-cities-dictionary/ American cities]</td> | <td>[http://ha.ckers.org/blog/20090417/us-cities-dictionary/ American cities]</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/us_cities.txt.bz2 us_cities.txt.bz2] (77,081 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/ | <td>[http://downloads.skullsecurity.org/passwords/us_cities.txt us_cities.txt] (207,041 bytes)</td> | ||
<td>Generated by RSnake</td> | <td>Generated by RSnake</td> | ||
</tr> | </tr> | ||
Line 163: | Line 218: | ||
<tr> | <tr> | ||
<td>"Porno"</td> | <td>"Porno"</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/porno | <td>[http://downloads.skullsecurity.org/passwords/porno.txt.bz2 porno.txt.bz2] (7,158,285 bytes)</td> | ||
<td>[http://downloads.skullsecurity.org/passwords/porno | <td>[http://downloads.skullsecurity.org/passwords/porno.txt porno.txt] (46,955,376 bytes)</td> | ||
<td>World's largest porno password collection!</td> | <td>World's largest porno password collection!</td> | ||
</tr> | </tr> | ||
</table> | </table> |
Revision as of 21:56, 6 March 2010
Password dictionaries
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
Name | Compressed | Uncompressed | Notes |
John the Ripper | john.txt.bz2 (10,934 bytes) | john.txt (21,935 bytes) | Simple, extremely good, designed to be modified |
Cain & Able | cain.txt.bz2 (1,069,968 bytes) | cain.txt (3,149,586 bytes) | Fairly comprehensive, not ordered |
Conficker worm | conficker.txt.bz2 (1411 bytes) | conficker.txt (702 bytes) | Used by conficker worm to spread -- low quality |
500 worst passwords | 500-worst-passwords.txt.bz2 (1868 bytes) | 500-worst-passwords.txt (3493 bytes) | |
370 Banned Twitter passwords | twitter-banned.txt.bz2 (1509 bytes) | twitter-banned.txt (2780 bytes) |
Leaked passwords
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.
The best use of these is to generate or test password lists.
Name | Compressed | Uncompressed | Notes |
Rockyou | rockyou.txt.bz2 (60,498,886 bytes) | rockyou.txt (139,921,497 bytes) | Best list available; huge, stolen unencrypted |
Rockyou with count | rockyou-withcount.txt.bz2 (59,500,255 bytes) | rockyou-withcount.txt (254,676,625 bytes) | |
phpbb | phpbb.txt.bz2 (868,606 bytes) | phpbb.txt (1,574,395 bytes) | Ordered by commonness Cracked from md5 by Brandon Enright (97%+ coverage) |
phpbb with count | phpbb-withcount.txt.bz2 (872,867 bytes) | phpbb-withcount.txt (3,049,507 bytes) | |
phpbb with md5 | phpbb-withmd5.txt.bz2 (4,117,887 bytes) | phpbb-withmd5.txt (7,659,241 bytes) | |
MySpace | myspace.txt.bz2 (175,970 bytes) | myspace.txt (356,352 bytes) | Captured via phishing |
MySpace - with count | myspace-withcount.txt.bz2 (179,929 bytes) | myspace-withcount.txt (653,504 bytes) | |
Hotmail | hotmail.txt.bz2 (47,195 bytes) | hotmail.txt (87,383 bytes) | Isn't clearly understood how these were stolen |
Hotmail with count | hotmail-withcount.txt.bz2 (47,975 bytes) | hotmail-withcount.txt (158,831 bytes) | |
Faithwriters | faithwriters.txt.bz2 (39,327 bytes) | faithwriters.txt (72,695 bytes) | Religious passwords |
Faithwriters - with count | faithwriters-withcount.txt.bz2 (40,233 bytes) | faithwriters-withcount.txt (139,480 bytes) | |
Elitehacker | elitehacker.txt.bz2 (3,690 bytes) | elitehacker.txt (6,516 bytes) | Part of zf05.txt |
Elitehacker - with count | elitehacker-withcount.txt.bz2 (3,846 bytes) | elitehacker-withcount.txt (13,676 bytes) | |
Hak5 | hak5.txt.bz2 (16,490 bytes) | hak5.txt (24,714 bytes) | Part of zf05.txt |
Hak5 - with count | hak5-withcount.txt.bz2 (16,947 bytes) | hak5-withcount.txt (43,522 bytes) |
Coverage (Rockyou)
I did some calculations and determined how many passwords you'd need, on average, to crack which percentage of users' passwords, based on the leaked passwords from Rockyou.com. These lists will crack the advertised amount on an average cross-section of people if no password restrictions are in place:
Passwords | Coverage | Download |
13 | 4.99% | rockyou-5.txt (104 bytes) |
92 | 10.00% | rockyou-10.txt (723 bytes) |
249 | 15.01% | rockyou-15.txt (1,943 bytes) |
512 | 20.00% | rockyou-20.txt (3,998 bytes) |
929 | 25.00% | rockyou-25.txt (7,229 bytes) |
1556 | 30.00% | rockyou-30.txt (12,160 bytes) |
2506 | 35.00% | rockyou-35.txt (19,648 bytes) |
3957 | 40.00% | rockyou-40.txt (31,220 bytes) |
6164 | 45.00% | rockyou-45.txt (49,133 bytes) |
9438 | 50.00% | rockyou-50.txt (75,912 bytes) |
14236 | 55.00% | rockyou-55.txt (115,186 bytes) |
21041 | 60.00% | rockyou-60.txt (170,244 bytes) |
30290 | 65.00% | rockyou-65.txt (244,535 bytes) |
42661 | 70.00% | rockyou-70.txt (344,231 bytes) |
59187 | 75.00% | rockyou-75.txt (478,948 bytes) |
Statistics
I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:
- cracked_500worst.png
- cracked_elitehackers.png
- cracked_faithwriters.png
- cracked_hak5.png
- cracked_hotmail.png
- cracked_myspace.png
- cracked_phpbb.png
- cracked_rockyou.png
Miscellaneous non-hacking dictionaries
These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.
Name | Compressed | Uncompressed | Notes |
English | english.txt.bz2 (1,063,071 bytes) | english.txt (3,144,506 bytes) | My combination of a couple lists, one from Andrew Orr |
German | german.txt.bz2 (2,121,045 bytes) | german.txt (6,736,833 bytes) | See header for credit info |
American cities | us_cities.txt.bz2 (77,081 bytes) | us_cities.txt (207,041 bytes) | Generated by RSnake |
"Porno" | porno.txt.bz2 (7,158,285 bytes) | porno.txt (46,955,376 bytes) | World's largest porno password collection! |