Last month, I posted about some password dictionaries I've collected. Well, thanks to a hacker who compromised PHPBB's site, I added another. There's a big caveat to this one, though -- these passwords are apparently based on ones that were cracked by the hacker, so they're only an accurate representation of weak passwords.
That being said, weak passwords are what most pen-testers are targeting, so it can be useful.
For fun, I did a grep of the password list for some common passwords. Have a look:
$ cat phpbb-counts.txt | grep -i password 609 password 11 password1 9 PASSWORD 7 Password 6 mypassword 6 1password 4 nopassword 2 thisismypassword 2 random password 2 passwords 2 password2 2 password123 2 newpassword 1 thepassword 1 password\n 1 password88 1 password7 1 password42 1 password3 1 password1234 1 password11 1 Password1 1 password01 1 PassWord 1 password@ 1 password_ 1 forumpassword 1 1Password! 1 123password
Over 600 people used 'password' for their passwords, and 11 used 'password1'. So 60x as many people don't even *try* to make themselves secure. 6 people used '1password', and nearly everybody who used a 'password' variation either added or removed something from the beginning or the end. Additionally, everybody who played with case used either 1, 2, or all capitals, which supports my theory nicely.