More password dictionaries

Last month, I posted about some password dictionaries I've collected. Well, thanks to a hacker who compromised PHPBB's site, I added another. There's a big caveat to this one, though -- these passwords are apparently based on ones that were cracked by the hacker, so they're only an accurate representation of weak passwords.

That being said, weak passwords are what most pen-testers are targeting, so it can be useful.

Feel free to take a look at the list, with and without associated counts. I'm not going to post the list with the usernames intact, because that doesn't do any good for my purposes.

For fun, I did a grep of the password list for some common passwords. Have a look:

$ cat phpbb-counts.txt | grep -i password
    609 password
     11 password1
      9 PASSWORD
      7 Password
      6 mypassword
      6 1password
      4 nopassword
      2 thisismypassword
      2 random password
      2 passwords
      2 password2
      2 password123
      2 newpassword
      1 thepassword
      1 password\n
      1 password88
      1 password7
      1 password42
      1 password3
      1 password1234
      1 password11
      1 Password1
      1 password01
      1 PassWord
      1 password@
      1 password_
      1 forumpassword
      1 1Password!
      1 123password

Over 600 people used 'password' for their passwords, and 11 used 'password1'. So 60x as many people don't even *try* to make themselves secure. 6 people used '1password', and nearly everybody who used a 'password' variation either added or removed something from the beginning or the end. Additionally, everybody who played with case used either 1, 2, or all capitals, which supports my theory nicely.

2 thoughts on “More password dictionaries

  1. Reply

    Andrew

    Real world password lists are always fun to take a look at. I read an interesting analysis of the phpbb cracked passwords over at http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html

    Some interesting statistics there as long as you keep in mind, as you said, that these are only the passwords which were cracked. It's too bad the hashes weren't published to wikileaks or something similar so we could crack them all and analyze the whole set. Next time maybe.

    One of my friends had her WoW account hacked a couple weeks ago and we've been waiting for the blizzard RSA keys to get in stock so we can order some for ourselves. I've always wanted one and now I have something of an excuse to get one :) http://www.blizzard.com/store/details.xml?id=1100000222 there's an image there of the device. Doesn't that look a lot nicer than the standard issue ones?

  2. Reply

    Ron Post author

    The full compromised file is available, if you know where to look *coughpiratebaycough*. Fyodor talked about cracking the full thing, but wants to wait while to give people a chance to change their passwords.

    I don't suppose you want to download md5 rainbow tables? :)

Leave a Reply

Your email address will not be published.