These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
|John the Ripper||john.txt.bz2 (10,934 bytes)||n/a||Simple, extremely good, designed to be modified|
|Cain & Abel||cain.txt.bz2 (1,069,968 bytes)||n/a||Fairly comprehensive, not ordered|
|Conficker worm||conficker.txt.bz2 (1411 bytes)||n/a||Used by conficker worm to spread -- low quality|
|500 worst passwords||500-worst-passwords.txt.bz2 (1868 bytes)||n/a|
|370 Banned Twitter passwords||twitter-banned.txt.bz2 (1509 bytes)||n/a|
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.
The best use of these is to generate or test password lists.
Note: The dates are approximate.
|Rockyou||rockyou.txt.bz2 (60,498,886 bytes)||n/a||2009-12||Best list available; huge, stolen unencrypted|
|Rockyou with count||rockyou-withcount.txt.bz2 (59,500,255 bytes)||n/a|
|phpbb||phpbb.txt.bz2 (868,606 bytes)||n/a||2009-01||Ordered by commonness
Cracked from md5 by Brandon Enright
|phpbb with count||phpbb-withcount.txt.bz2 (872,867 bytes)||n/a|
|phpbb with md5||phpbb-withmd5.txt.bz2 (4,117,887 bytes)||n/a|
|MySpace||myspace.txt.bz2 (175,970 bytes)||n/a||2006-10||Captured via phishing|
|MySpace - with count||myspace-withcount.txt.bz2 (179,929 bytes)||n/a|
|Hotmail||hotmail.txt.bz2 (47,195 bytes)||n/a||Unknown||Isn't clearly understood how these were stolen|
|Hotmail with count||hotmail-withcount.txt.bz2 (47,975 bytes)||n/a|
|Faithwriters||faithwriters.txt.bz2 (39,327 bytes)||n/a||2009-03||Religious passwords|
|Faithwriters - with count||faithwriters-withcount.txt.bz2 (40,233 bytes)||n/a|
|Elitehacker||elitehacker.txt.bz2 (3,690 bytes)||n/a||2009-07||Part of zf05.txt|
|Elitehacker - with count||elitehacker-withcount.txt.bz2 (3,846 bytes)||n/a|
|Hak5||hak5.txt.bz2 (16,490 bytes)||n/a||2009-07||Part of zf05.txt|
|Hak5 - with count||hak5-withcount.txt.bz2 (16,947 bytes)||n/a|
|Älypää||alypaa.txt.bz2 (5,178 bytes)||n/a||2010-03||Finnish passwords|
|alypaa - with count||alypaa-withcount.txt.bz2 (6,013 bytes)||n/a|
|Facebook (Pastebay)||facebook-pastebay.txt.bz2 (375 bytes)||n/a||2010-04||Found on Pastebay;
appear to be malware-stolen.
|Facebook (Pastebay) - w/ count||facebook-pastebay-withcount.txt.bz2 (407 bytes)||n/a|
|Unknown porn site||porn-unknown.txt.bz2 (30,600 bytes)||n/a||2010-08||Found on angelfire.com. No clue where they originated, but clearly porn site.|
|Unknown porn site - w/ count||porn-unknown-withcount.txt.bz2 (31,899 bytes)||n/a|
|Ultimate Strip Club List||tuscl.txt.bz2 (176,291 bytes)||n/a||2010-09||Thanks to Mark Baggett for finding!|
|Ultimate Strip Club List - w/ count||tuscl-withcount.txt.bz2 (182,441 bytes)||n/a|
|[Facebook Phished]||facebook-phished.txt.bz2 (14,457 bytes)||n/a||2010-09||Thanks to Andrew Orr for reporting|
|Facebook Phished - w/ count||facebook-phished-withcount.txt.bz2 (14,941 bytes)||n/a|
|Carders.cc||carders.cc.txt.bz2 (8,936 bytes)||n/a||2010-05|
|Carders.cc - w/ count||carders.cc-withcount.txt.bz2 (9,774 bytes)||n/a|
|Singles.org||singles.org.txt.bz2 (50,697 bytes)||n/a||2010-10|
|Singles.org - w/ count||singles.org-withcount.txt.bz2 (52,884 bytes)||n/a|
|Unnamed financial site||(reserved)||(reserved)||2010-12|
|Unnamed financial site - w/ count||(reserved)||(reserved)|
|Gawker - w/ count||(reserved)||(reserved)|
|Carders.cc (second time hacked)||(reserved)||(reserved)||2010-12|
|Carders.cc w/count (second time hacked)||(reserved)||(reserved)|
I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:
Miscellaneous non-hacking dictionaries
These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.
|English||english.txt.bz2 (1,368,101 bytes)||My combination of a couple lists, from Andrew Orr, Brandon Enright, and Seth|
|German||german.txt.bz2 (2,371,487 bytes)||Compiled by Brandon Enright|
|American cities||us_cities.txt.bz2 (77,081 bytes)||Generated by RSnake|
|"Porno"||porno.txt.bz2 (7,158,285 bytes)||World's largest porno password collection!|
Created by Matt Weir
|Honeynet||honeynet.txt.bz2 (889,525 bytes)||From a honeynet run by Joshua Gimer|
|Honeynet - w/ count||honeynet-withcount.txt.bz2 (901,868 bytes)|
|File locations||file-locations.txt.bz2 (1,724 bytes)||Potential logfile locations (for LFI, etc).
Thanks to Seth!
|Fuzzing strings (Python)||fuzzing-strings.txt.bz2 (276 bytes)||Thanks to Seth!|
|PHPMyAdmin locations||phpmyadmin-locations.txt.bz2 (304 bytes)||Potential PHPMyAdmin locations.
Thanks to Seth!
|Web extensions||web-extensions.txt.bz2 (117 bytes)||Common extensions for Web files.
Thanks to dirb!
|Web mutations||web-mutations.txt.bz2 (177 bytes)||Common 'mutations' for Web files.
Thanks to dirb!
DirBuster has some awesome lists, too -- usernames and filenames.
These are the lists I generated from this data. Some are more useful than others as password lists. All lists are sorted by commonness.
If you want a bunch of these, I highly recommend using the torrent. It's faster, and you'll get them all at once.
|Full names||facebook-names-unique.txt.bz2 (479,332,623 bytes)||2010-08|
|Full names - w/ count||facebook-names-withcount.txt.bz2 (477,274,173 bytes)|
|First names||facebook-firstnames.txt.bz2 (16,464,124 bytes)||2010-08|
|First names - w/ count||facebook-firstnames-withcount.txt.bz2 (73,134,218 bytes)|
|Last names||facebook-lastnames.txt.bz2 (21,176,444 bytes)||2010-08|
|Last names - w/ count||facebook-lastnames-withcount.txt.bz2 (21,166,232 bytes)|
|First initial last names||facebook-f.last.txt.bz2 (67,110,776 bytes)||2010-08|
|First initial last names - w/ count||facebook-f.last-withcount.txt.bz2 (66,348,431 bytes)|
|First name last initial||facebook-first.l.txt.bz2 (37,463,798 bytes)||2010-08|
|First name last initial||facebook-first.l-withcount.txt.bz2 (36,932,295 bytes)|