What is a modern high quality password dictionary?
Is there any good password dictionary that I can access? Some of the lists I found dated back to the 90's! Some are simply too big that I doubt their quality. There appears to be some work by someone for a paid list though at http://dazzlepod.com/uniqpass/ but I am looking for something hopefully free!
As the old adage says, "it's not the size of your word list that matters, it's how you use it." And which you use. I will provide you with some tips.
For password dictionary lists and non-password word lists relevant to my suggestions, see SkullSecurity, KoreLogic, and Openwall. The leaks mentioned are all from SkullSecurity. Or you can hunt down leaks and use them as a basis, over time developing good lists. See the twitter feeds of pastebin leaks and keep an eye on the news and hunt down leaks that are announced, especially when in plaintext. Even if some of the leaks are pure hashes and you need to crack them, it will still give you an idea of what is being used in the wild and help you assess the value of your password lists.
On to the advice.
Chose a word list relevant to your target's user base
Password leaks similar to your target (e.g. Faithwriters, Hak5, Ultimate Strip Club List)
Relevant topics (Sport teams and terminology, slang, city/town names)
Relevant languages (e.g. Älypää leak, foreign dictionaries, foreign Wikipedia)
Generate your own!
Crawl target's website
Strip and then use mangling rules on passwords already cracked
Look for trends in passwords already cracked and find a source (or generate one) that is categorically similar
Mangle generic lists
Look at JtR's default mangling rules and KoreLogic's published ones for inspiration
Name lists. first initial last name, first name last initial, first name, last name
Write mangling rules that fit patterns you see in passwords already cracked
Lists of random ordinary stuff (e.g. phone numbers)
Don't use lists at all
Markov chains (see JtR Jumbo)
JtR default incremental modes
Other probability stuff
Go through all digit combinations between 1 digit and as high as you can handle
Use Rainbow tables if unsalted passwords are in use
Be lazy and use generalized leaks like RockYou
Think about password policy
EXCLUDE GUESSES OUTSIDE PASSWORD POLICY
Learn what the password policy is through analysis on cracked passwords
Realize patterns may just be your imagination or created by your tactics
Think about what keyspaces and tactics you haven't tried
In summary:
Password lists aren't everything
Learn to write good mangling rules
Analyze what you've cracked
Use scripting to generate common patterns on-the-fly
Create your own word lists
Chose relevant lists