Password List Download Best Word List – Most Common Passwords

Password list download below, best word list and most common passwords are super important when it comes to password cracking and recovery, as well as the whole selection of actual leaked password databases you can get from leaks and hacks like Ashley Madison, Sony and more.

Password List Download Wordlists - Most Common Passwords

Generate your own Password List or Best Word List

There are various powerful tools to help you generate password lists or wordlists for brute forcing based on information gathered such as documents and web pages such as:

Wyd – password profiling tool
Crunch – Password Cracking Wordlist Generator
CeWL v5.1 – Password Cracking Custom Word List Generator
RSMangler – Keyword Based Wordlist Generator For Bruteforcing
The Associative Word List Generator (AWLG) – Create Related Wordlists

These are useful resources that can add unique words that you might not have if your generic lists, using a combination of generated lists, most common passwords and leaked password databases you can generate a very powerful selection of passwords for brute force cracking.

Also, add all the company related words you can and if possible use industry-specific word lists (chemical names for a lab, medical terms for a hospital etc).

And always brute force in the native language. There are some language-specific resources below.

Password List Download Best Word Lists

Although old, one of the most complete word list sets is here (easily downloadable by FTP too):

Oxford Uni Wordlists

This includes a whole bunch of language specific resources too (Afrikaans, American, Aussie, Chinese, Croatian, Czech, Danish, French, German, Hindi, Japanese, Polish, Russian, Spanish and more).

This is another famous pass list txt which is over 2GB uncompressed, Argon v2:

The Argon Wordlists

Here we have 50,000 words, common login/passwords and African words (this used to be a great resource):

Totse Word Lists

One of the most famous lists is still from Openwall (the home of John the Ripper) and now costs money for the full version:

Openwall Wordlists Collection

Some good lists here organized by topic including surnames, family names, given names, jargon, hostnames, movie characters etc.

Outpost9 Word lists

Packetstorm has some good topic-based lists including sciences, religion, music, movies and common lists.

Packetstorm word lists

French Spanish & Language Specific Word Lists

There’s a good French word list here with and without accents, also has some other languages including names:


Spanish password list that has 172122 words:


Russian wordlist that has 296790 words:


Swedish password wordlist that contains 24292 words:


Tools for Password List Brute Forcing

You can also check out some default password lists and if you aren’t sure what tools to use I suggest checking out:

Enjoy! And as always if you have any good resources or tools to add – do mention them in the comments.

Posted in: Password Cracking Tools

, , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

35 Responses to Password List Download Best Word List – Most Common Passwords

  1. eM3rC February 14, 2008 at 8:06 am #

    Wow awesome post!

    I could have really used this a couple of weeks ago. Thanks Darknet!

  2. madmax February 14, 2008 at 10:49 am #


  3. Chaosvein February 14, 2008 at 4:07 pm #

    Sad there was no mention of Brutus even though it is old school.

  4. agent0x0 February 14, 2008 at 6:47 pm #

    Nice article. The Openwall “full version” CD is primo…highly recommended!

  5. James C February 14, 2008 at 9:32 pm #

    I hate brute force’in its way to slow.

  6. hal February 15, 2008 at 2:05 am #

    Funny, I just spent a few hours putting together a dictionary for John the Ripper. Gave me a reason to dust off my crappy perl skills to merge, sort, and de-dupe the file.

  7. Pantagruel February 15, 2008 at 2:12 am #

    Thanks for the great compilation of wordlists. I guess most of the really interrested folks have compiled their lists over the past few years. But it never bad to do a diff against these well established ones.

  8. eM3rC February 15, 2008 at 5:54 am #


    Ill check that out. Thanks for the recommendation.
    Ophcrack is also a good linux distro for password cracking.

  9. zupakomputer February 15, 2008 at 7:19 pm #

    I’m always suprised anything really requiring a password would allow more than a reasonable amount of login attempts.

    Of course, that they’d likely set up automated password resets or reminders should the account be locked out in that way, is probably just making another route open to be exploited to gain entry. Guess where else they store password files! Plus it’ll use javascript when it’s not even needed. I’ve gotten fond recently of running javascript-intensive sites through the W3C verifier when they don’t display right on my browser, then sending them e-mails saying do they know their site / page contains 700+ errors in code – that’s a real figure btw, for a site with loads of network security articles…(not this site, in case anyone thinks that’s some sort of dig, it was techrepublic).

  10. Tom February 16, 2008 at 12:29 am #

    Great article.
    OPHCrack is a nice tool for NT passwords

  11. eM3rC February 16, 2008 at 3:40 am #

    It seems that a lot of the java heavy sites are quickly scripted and usually have a lot of ways in.

    Poor programming? Maybe. Improper knowledge of computer security when programmed? Most likely.

  12. zupakomputer February 17, 2008 at 6:54 pm #

    A lot of webdesign is taught via using apps like say Dreamweaver or Frontpage (or whatever ones have javascript insert selection buttons, I haven’t used any new editions for ages), the coding isn’t always taught.

    Even a simple text-and-some-images (no js) page done in a Frontpage I have here generates a huge amount of code when you look at the code view; so say if it were replaced via ftp there’s a ton of places to hide or just shove some extra lines in.
    Of course if that’s noticed then the page would likely be re-replaced again with the intended original, but the point is they probably wouldn’t know how it was altered even if the code was read over.

  13. eM3rC February 17, 2008 at 10:46 pm #

    When looking at web design or any other cookie cutter programming pieces of software there will always be gaps and glitches. Computers are not perfect and never will be.

    For people using something like Dreamweaver or Frontpage it seems like the best thing to do if your in a hurry (or just don’t want to hand write the entire website by hand) is to use the program, distribute the code, then go back and hand correct any errors or cut down on the code so its efficient and more secure, then update the site. Although its iffy of when you should do this. It would seem to be ok for jobs that need the site fast but also want it to be safe.

  14. zer0x February 19, 2008 at 2:16 pm #

    If you need basic dictionary quickly on a linux system don’t forget about the ispell dictionary files usually found under /usr/share/dict.

    There are currently 25 languages available from the ubuntu repositories :D

  15. zer0x February 19, 2008 at 2:54 pm #

    @hal – If you don’t have perl etc. available you can pretty much guarantee the following will work on most *nix systems for a quick merge-sort-remove duplicates:

    cat *.wordlist | sort | uniq > wordlist.all

    Whilst i’m here.. quick l337 speak filter anyone?

    cat plain.wordlist | sed -e 's/a/4/g' -e 's/e/3/g' -e 's/i/1/g' -e 's/o/0/g' -e 's/s/5/g' -e 's/t/7/g' > l337.wordlist


  16. whap April 30, 2008 at 3:41 am #

    zerox, I love the filter! that really was a good idea.

  17. Got_WEP? July 11, 2008 at 8:58 pm #

    Ok, I have a question. I have been looking everywhere and I cant find a bruteforce list dictionary anywhere! I found a program that will write one (kind of): but it takes feakin forever, like 3 wps! it would take years to make a proper dict with say 16 chars, and it only writes how many chars you specify. I need one that will write all possibilities from 1 char to like 16, all possibilities based on a charset, and will write at like 100,000 a sec to make it worth the while. does anyone know or have any idea where to get such a program? Or is there a list already created like this? I know it would have to be HUGE! It wouldnt have to be up to 16 chars in length, I would settle for like 10. Thanks!

  18. haliborange July 12, 2008 at 1:04 pm #

    You won’t get anything worthwhile anyway from anyone that uses known words as their password. For that other thing, try writing a bash script that uses each character (for however x amount of characters the password is) in combination with all other characters; it’s just maths. That part isn’t the hard bit – the hard bit is getting that to run over a remote connection, as well as actually sending each combo as a login try. You’d have to wrap them up in disguised spoofed packets, from behind a fortess connection, or you get caught and then you die. You Die! You go cracker hell!

  19. razta July 13, 2008 at 5:18 pm #

    “You wont get anything worthwhile anyway from anyone that uses known words as their password.”

    There are old machines on lots of networks that have been forgot about and have weak passwords, these machines can be very useful to a hacker.

    A weak paypal account password is worthwhile to almost any one with bad intentions.

    Just because some one uses a weak password doesnt mean breaking it isent worth while.

  20. Baba ORLY July 14, 2008 at 2:59 am #

    I wouldn’t count stealing a paypal users password as worthwhile! Are you going to check first to see if they’re really rich and can afford to lose a few quid? I meant worthwhile in the sense of ‘should you do that or not’ cause bad karma is definitely NOT worthwhile.

    Fair enough though about going into other boxes, but it’s still about intent of why you would do that; ‘hacker’ and ‘cracker’ used to be distinct terms and hacker never meant being an online bagsnatcher. Besides for online password cracking you would need to be capturing their login$ beforehand somehow, and that would mean listening in on paypals authentication servers in the above case. You wouldn’t just be able to keep logging in over and over again with each generated password, it’d be noticed someplace secure like paypal.

    Hell! You go crackerhell!

  21. Got_WEP? July 14, 2008 at 12:41 pm #

    Well, let me get down to the reason I would like such a file. I am currently looking at WPA wireless hacking, and the only thing I need is a 4-way handshake, and I can work on cracking my way in offline. I have the handshake (very easy to attain), but I think that a much more permenant solution to trying random words would be to use EVERY combination. And I already have a method that will try up to 200,000 possibilties a second. So once your in the network, you can just sit back and watch traffic go by and get all that juicy info you want. But thats not what I want, i’m not that evil. And also, about making a bash script, I dont know the first thing about making one but if you would like to throw one out there that would get the job done that would be awesome. ;)

    And oh yeah, I need the possibilities of 6 chars. and up, because WPA passkeys have to be a minimum of 6 chars. I dont even know how many possibilites that is, say for all lower case, uppercase, and 0-9. I used to know the formula to figure that out but its been a long time and I have forgotten. It might not even be a feasible option after getting so far up in character length, like 10 characters, I dont know.

  22. boris not-the-webmaster July 14, 2008 at 6:23 pm #

    I too forgot how to calculate that, and if I remember correctly from the info I then got – add up all the characters in use, and multiply that number by itself (for a 2-character key; for a third character you use each of the previously generated combos alongside each character again, and so on). But I’m not confident that is correct (that the rule is to merely multiply it – it looks more like you do that first then for each additional character you add on the amount of characters in use), and being maths it’s impossible to look it up unless you’ve studied a lot of maths and know what the terms are for the operations and functions you want to do.
    (exactly like network security and computers in general then – you know what you want to look for, but what have they named it?)

    Anyways…..isn’t there a WPA cracker built in to one of the well-known wireless apps? I thought aircrack or wireshark did that; maybe not then. I haven’t gotten into that much because I ain’t got anything portable like a laptop.

    [ eg for a 20 character set – 1st column = 20 (different characters); 2nd column 1st row = 20; 2nd column 2nd row = 20; 2nd column 3rd row = 20 ……… down to 2nd column 20th row = 20; then the third column is the same as the second column and so on – the amount of columns representing the length of the password – if it’s outputted that way then you have a wordlist of all combos,
    so it’s 20 and add 20 twenty times if the password was only 2 characters from a character set of 20.
    I’m rubbish at getting rules for these kinds of things, I never really did any maths, I can just see how it would be coded to run – as far as running it being feasible, that just depends on your hardware. But nooo, I don’t have a pre-written script. I don’t think it’d be that difficult to write though. ]

  23. Got_WEP? July 14, 2008 at 6:42 pm #

    Aircrack is exactly what I am using, but it requires you to provide your own dictionary in a .txt or .pwl, thats why I am going this route. I think that the formula has to do with the factoral if I remember correctly, as how combinations of 6 charaters are there would be 6! (6 factoral) or 6x5x4x3x2x1. but that is if each columb has only one chacter. ie how many combinations of 123456 are there like 234516 and so on. Now how to incorporate that where each place has multiple possibilites, that is the formula I forgot. I think I have some old algebra 2 books around somewhere, I will just have to dig them up and figure all this out so I know if I’m waisting my time or not.

  24. razta July 14, 2008 at 6:59 pm #

    @Baba ORLY/haliborange/anyotheraliasyouwishtobeknownas

    You have completly missed my point. As for bad karma, if there was such a thing I would definitely be burning in hell fire right now.

    “Besides for online password cracking you would need to be capturing their login$ beforehand somehow, and that would mean listening in on paypals authentication servers in the above case. You wouldn

  25. what goes around comes around July 15, 2008 at 12:07 pm #

    Right sure – there’s no soul audit after you die. You keep banking on that one since you know all about why this reality even exists. Maybe if we crack your hdd encryption it’ll have the Unified Field Theory: Proof on it in its final form. Cause every human culture on the planet, except for one that began very recently, are all wrong about what existence actually is, and it’s your proofless model that sometimes claims to be ‘rationalist’ that is correct, because as we all know so many people have returned from the dead to explain that there’s no need at all to behave properly or to be in any way responsible.
    Besides you probably are in hell anyway and you haven’t noticed that yet. You are aware of the kind of timescales and factors you are using there to arrive at the conclusion that there’s no such thing as cause-and-effect in the physical reality of thoughts, emotions, and actions?
    What do you think you can do to avoid cause-and-effect: build a time-machine and keep skipping about in time to try to avoid the ripples in this finite pond from converging upon you? Forever?

    You’re the one that clearly hasn’t got a clue what you’re gibbering on about, if you think you can keep on logging in to a place like paypal in realtime, over and over again trying different passwords until you get the right one. Do you realise how many back-and-forths they do per each submitted password? And how obvious it is in terms of timings if you are submitting many logins in an automated way?

    How exactly do you intend to get the password a user types in unless you are capturing the data they are sending to be logged in as? Other methods of getting passwords are OTHER METHODS and don’t require being bruted online at any point.

    Got_WEP: Such a script would work in perl also, if you know that.

    I reckon it already exists someplace, it’s kind of like a skeleton key that is hardware dependent – for any given character-set and password length it can generate all possibilities.

    So you can either have prepared files of character sets or enter the used characters in manually, and the process would build up tables that are then used as the wordlists (which you input into the cracker apps / exes / etc).
    So if it’s A-Z a-z 0-9 (length=2) then you need to tell it to do a column for each of those, and then alongside each you tell it to put all the other characters. eg 61 instances of A paired with every other used character, 61 instances of B paired with every other used character, and so on.
    Then you’ve generated all combos when the length=2, so to add in for length=3 it’s the same process: you just add to the end of each 2-length column the third character (and again you need to insert all possible characters in that third column – per each of the 2-length column combos).
    So that would build up a list of every possible combo, for the given character set.

    The other part, is separate, the part where you want to be able to use the wordlist in. Where you can ignore certain strings and have it only run through combos that have a particular character in a particular place, and all that.

    I wonder how long the likes of the Roadrunner would take to generate all combos of an a-zA-Z0-9 up to say 256 length password…….I suppose it depends on what it’s coded in and how the hw is doing those calculations. Must be fast though, even on mismatched hw-languages.

  26. Darknet July 15, 2008 at 4:25 pm #

    You guys need to learn yourself something about Rainbow Tables and Rainbow Cracking..

  27. dat b true July 17, 2008 at 10:33 am #

    “You guys need to learn yourself”

    Oh no! It’s my Scottish English teacher!

  28. dat b true July 17, 2008 at 10:42 am #

    So that’s what you were talking about here with all that rainbow tables stuff, I thought those were about IP configs (ie – having tables of ranges to be scanned and IPs you use for various testing scenarios). As usual, something I’ve thought right through has a weird inappropriate name and is known as something else entirely.

    What dee hell is a ‘salted hash’? I’m guessing it doesn’t come with NaCl sprinkled on it.

  29. razta July 17, 2008 at 10:35 pm #

    @dat b true
    To my understanding a salted hash is an encrypted hashed password which has been encrypted with a salt.

    Salt = Encryption key
    Hash = Encrypted text

    The salt can be changed every time the hash is queried and is irreversable.

    Thats my understanding I may be way off line.

  30. ovni July 18, 2008 at 12:37 pm #

    Double encryption then? it sounds like.


    I know a lot of encryption systems say they are irreversible, I’m not so sure that’s true (ie: actually possible, although they are ‘practically’ irreversible). Is it really feasible to do anything to a number that cannot be done in reverse……maybe what they mean is that when an encrypt is being done based upon previously obtained values, and then also has some kind of randomisation of data thrown in, it’s harder to break because even if you know what the encryption standard in use is – you’re having to backwards calculate a value to fit whatever round of the encryption standard deals with that phase, hence there could be many possibilities and you then have to backwards calculate each of those also.

    (there’s a certain cartoony funny quality to all this though, given that if you have an all-possibilities wordlist and an appropriate bruter (and the hw) then the ‘game’ is up, and everyone has to rely on constantly changing morphing encrypts. At least, that’s how it looks to me anyway when I’m reading through the great lengths and amount of phases that go into generating what turns out to be the usual – a keyword that unlocks the encrypted data or communication.)

    “And by the way, ah hates the rabbit!”

  31. Got_WEP? July 24, 2008 at 8:30 pm #

    Ok, time to update my earlier postings regarding finding or creating a brute force word list, and let you all know what I figured out on the subject.

    So it turns out that I came across my answer while studying to take CompTIA’s security plus exam. According to the security + book, the answer is based on exponential factors. I will quote the passage:

    “Passwords should be as long and as complicated as possible. Most security experts believe a password of 10 characters is the minimum that should be used if security is a real concern. If you use only the lower case letters of the alphabet, you have 26 characters with which to work. If you add the numeric values 0 through 9, you’ll get another 10 characters. If you go one step further and add the uppercase letters, you’ll then have an additional 26 characters, giving you a total of 62 characters with which to construct a password.

    If you use a four-character password, this would be 62x62x62x62, or approximately 14 million password possibilities. If you use five characters in your password, this would give you 62 to the fifth power, or approximately 92 million password possibilities. If you used a 10-character password, this would give you 64 to the tenth power, or 8.3 x 10^6 (a very big number) possibilities. As you can see, these numbers increase exponentially with each position added to the password. The four-digit password could probably be broken in a day, while the 10-digit password would take a millennium to break given current processing power.
    If your password used only the 26 lowercase letters from the alphabet, the four-digit password would have 26 the the fourth powe, or 456,000 password combinations. A five-character password would have 26 to the fifth power, or 11 million, and a 10-character password would have 26 to the tenth power, or 1.4 x 10^15. This is still a big number, but it would take only half a millennium to break it.”

    So in my situation if i were to create a brute force word list that only covered the MINIMUM number of characters required in a WPA key, the possiblities would be 62^6, or 56,800,235,584 words in my word list. And that does not included nonalpabetic characters such as #,$, and %.
    Oh well, i guess i will just stick with really large random password lists.

  32. razta July 24, 2008 at 11:40 pm #

    You could do it with out a list. Just have the software try every posible combination, starting with the most common/easy first. This is the way JTR works.

  33. Darknet July 25, 2008 at 5:58 am #

    Breaking WEP is done by leveraging a weakness in the crypto implementation, this is how most cracking works.

    Using pure simple brute force isn’t practical.

    Like Rainbow crack for ‘reversing’ hashes, it only works if they are unsalted.

    And Windows hashes can be cracked so quickly due a flaw in the way they are stored.

  34. zupakomputer July 25, 2008 at 3:15 pm #

    D’you mean that because the encryption method is known, and the character set in use is known, that the password hashes having been aquired (because where those are stored – is also known) coupled with some background info on who the passwords belong to (eg – their username), makes it easier to ‘guess’ a range of potentials?
    That sounds like a lot of on-site recce though. Either that or you’d have to have gotten into the system anyway, to be able to get the password hashes! So while you’re in there, you could have easily made an admin account (and then some) – so then you don’t need anyone’s passwords…

    (I get that there are those easily-guessable words that are likely to be used, and during any security testing you’d obviously have to emulate what any attacker would bruteforce with; then it’s a case of ‘well we found 20 people using these insecure passwords, so you’ll have to have those changed and inform them not to use such things’)

    I still think that the actual generation of all possible combos is possible realistically with some more recent hardware (eg – a couple of overclocked CPUs and say 3 GPUs in SLi), but again those combos still have to be entered-in – offline that’s fairly easy, as automatic login scripts exist even if you don’t know what to write them in yourself, but online in realtime it’s obviously much more difficult to pull off. But given an anonymous high-bandwidth link to the machine the access is wanted to, it’s still in the realms of possibility, and getting more possible day by day. Even a botnet could be busy processing away for that purpose.

  35. zupakomputer July 25, 2008 at 3:23 pm #

    re: the first paragraph I wrote just there – fair enough, maybe some people want a password for an account so they can use that account as un-noticed as possible, and they wouldn’t want to make an admin or root account to do things with. But I still don’t see how that process would be any less noticable than an extra account – unless they aren’t going to do anything using the cracked account. Cause as soon as they do anything shady – it’s likely to show up, then they are locked out again anyway when the admins realise someone’s legit account is compromised.

    Anything stealthy where you wouldn’t want what you’re doing to show up, hence the preference to have access to existing accounts; again – you don’t need to go to all that bother to install a rootkit or similar (the bother of having to get the hashes to begin with, etc, which means that you must have been in the system already).