Modern high quality password dictionary
Has anyone come across any good password dictionary lately? Some of the lists I found dated back to 90's! Some of them are so big in size that I am not sure of their quality.. There appears to be some work by someone for a paid list though at http://dazzlepod.com/uniqpass/ but I am looking for something hopefully free! Does anyone know of any high quality password dictionary? Thanks in Advance!
As the old adage says, "it's not the size of your word list that matters, it's how you use it." And which you use. I will provide you with some tips. For password lists and non-password word lists relevant to my suggestions, see the password dictionary SkullSecurity, KoreLogic, and Openwall. The leaks mentioned are all from SkullSecurity. Or you can hunt down leaks and use them as a basis, over time developing good lists. See the twitter feeds of pastebinleaks and keep an eye on the news and hunt down leaks that are announced, especially when in plaintext. Even if some of the leaks are pure hashes and you need to crack them, it will still give you an idea of what is being used in the wild and help you assess the value of your password lists. On to the advice.
- Chose a word list relevant to your target's user base
- Password leaks similar to your target (e.g. Faithwriters, Hak5, Ultimate Strip Club List)
- Relevant topics (Sport teams and terminology, slang, city/town names)
- Relevant languages (e.g. Älypää leak, foreign dictionaries, foreign Wikipedia)
- Generate your own!
- Crawl target's website
- Strip and then use mangling rules on passwords already cracked
- Look for trends in passwords already cracked and find a source (or generate one) that is categorically similar
- Mangle generic lists
- Look at JtR's default mangling rules and KoreLogic's published ones for inspiration
- Name lists. first initial last name, first name last initial, first name, last name
- Write mangling rules that fit patterns you see in passwords already cracked
- Lists of random ordinary stuff (e.g. phone numbers)
- Don't use lists at all
- Markov chains (see JtR Jumbo)
- JtR default incremental modes
- Other probability stuff
- Go through all digit combinations between 1 digit and as high as you can handle
- Use Rainbow tables if unsalted passwords are in use
- Be lazy and use generalized leaks like RockYou
- Think about password policy
- EXCLUDE GUESSES OUTSIDE PASSWORD POLICY
- Learn what the password policy is through analysis on cracked passwords
- Realize patterns may just be your imagination or created by your tactics
- Think about what keyspaces and tactics you haven't tried
- In summary:
- Password lists aren't everything
- Learn to write good mangling rules
- Analyze what you've cracked
- Use scripting to generate common patterns on-the-fly
- Create your own word lists
- Chose relevant lists
What’s a password Dictionary?
A password dictionary is a file that contains a list of potential passwords. These lists are often referred to as dictionaries because they contain thousands or even millions of individual words. People often use plain English words or some small variation like a 1 for an i or a 5 for an s when they create passwords. Password lists attempt to collect as many of these words as possible. There are plenty of small word lists that can be downloaded from the Internet and serve as a good starting point for building your own personal password dictionary.