What is a modern high quality password dictionary?

Is there any good password dictionary that I can access? Some of the lists I found dated back to the 90's! Some are simply too big that I doubt their quality. There appears to be some work by someone for a paid list though at http://dazzlepod.com/uniqpass/ but I am looking for something hopefully free!

Answered by Kalyani Malhotra

As the old adage says, "it's not the size of your word list that matters, it's how you use it." And which you use. I will provide you with some tips.

For password dictionary lists and non-password word lists relevant to my suggestions, see SkullSecurity, KoreLogic, and Openwall. The leaks mentioned are all from SkullSecurity. Or you can hunt down leaks and use them as a basis, over time developing good lists. See the twitter feeds of pastebin leaks and keep an eye on the news and hunt down leaks that are announced, especially when in plaintext. Even if some of the leaks are pure hashes and you need to crack them, it will still give you an idea of what is being used in the wild and help you assess the value of your password lists.

On to the advice.

Chose a word list relevant to your target's user base

Password leaks similar to your target (e.g. Faithwriters, Hak5, Ultimate Strip Club List)

Relevant topics (Sport teams and terminology, slang, city/town names)

Relevant languages (e.g. Älypää leak, foreign dictionaries, foreign Wikipedia)

Generate your own!

Crawl target's website

Strip and then use mangling rules on passwords already cracked

Look for trends in passwords already cracked and find a source (or generate one) that is categorically similar

Mangle generic lists

Look at JtR's default mangling rules and KoreLogic's published ones for inspiration

Name lists. first initial last name, first name last initial, first name, last name

Write mangling rules that fit patterns you see in passwords already cracked

Lists of random ordinary stuff (e.g. phone numbers)

Don't use lists at all

Markov chains (see JtR Jumbo)

JtR default incremental modes

Other probability stuff

Go through all digit combinations between 1 digit and as high as you can handle

Use Rainbow tables if unsalted passwords are in use

Be lazy and use generalized leaks like RockYou

Think about password policy


Learn what the password policy is through analysis on cracked passwords

Realize patterns may just be your imagination or created by your tactics

Think about what keyspaces and tactics you haven't tried

In summary:

Password lists aren't everything

Learn to write good mangling rules

Analyze what you've cracked

Use scripting to generate common patterns on-the-fly

Create your own word lists

Chose relevant lists

Your Answer


Parent Categories