The ultimate faceoff between password lists

Yes, I'm still working on making the ultimate password list. And I don't mean the 16gb one I made by taking pretty much every word or word-looking string on the Internet when I was a kid; that was called ultimater dictionary. No; I mean one that is streamlined, sorted, and will make Nmap the bruteforce tool of the future!

First, a sidenote: JHaddix from Security Aegis posted a story mentioning my password lists and noted "I'd grab these lists if you dont already have them, who knows how long they will stay up." He makes a great point -- if I'm asked to remove these lists, I'll have no choice (for what it's worth, I don't see why I would; I cleared it with my ISP before hosting them). But, just in case, I wrapped everything up in a single tarball: skullsecurity-lists.tar.bz2. Weighing in at 132mb, it contains my whole collection of password lists. Feel free to grab it! If you want to pick and choose, as always, check out my password page.

So anyway, on the subject of generating awesome password lists, Brandon Enright from the Nmap team is trying to come up with an algorithm to rank the different words in the different lists. Meanwhile, I spent some time graphing potential password dictionaries' success against leaked password lists to see which one was best.

These are the dictionaries I used:

And I put them up against some of the best leaked password lists I've collected:

(Obviously, where there's overlap, I didn't count the password cracking its own list; it wouldn't really be fair to crack passwords using the list -- I did that in an earlier blog to measure coverage, though, if you want to check that out).

Because we want smaller lists, I used the top 1, 10, 50, 100, 200, 500, 1000, 2000, and 5000 passwords from each list, and measured how many of the original passwords it would crack. The best possible result, obviously, is to have points at {100,100}, {1000,1000}, etc. (dependent on the size of the target list). Naturally, that didn't happen anywhere, but it was close on a couple (the phpbb password list, for example, almost perfectly cracked -- more because is big than because phpbb is complete, but you get the picture).

Enough talk, here are the results (note: each graph represents a target, and the lines represent the dictionaries):


I think the conclusions here are:

  • and phpbb are the best lists (props to Brandon for cracking the phpbb passwords!)
  • Conficker is a clear loser -- I wonder if Conficker would have done better if the authors spent more time generating its dictionary?
  • No dictionary is perfect -- no dictionary won in every match. That's why we need to rank words and make the perfect one!
  • 3 makes sexy graphs!

On the next episode of why you need robots.txt if you're hosting dictionaries, especially German ones.

17 thoughts on “The ultimate faceoff between password lists

  1. Reply


    Great job there !
    Why don't you just make a torrent and distribute it more efficiently ?


    1. Reply

      Ron Post author

      @begood Thanks! I'm not really a huge fan of torrents, I'd rather distribute it myself. I *should* have plenty of upspeed, but my provider ( is currently screwing me on bandwidth and won't return my messages.

  2. Reply


    my password is blueberries! Is that on your list?

  3. Reply


    do you already have compiled THE ultimate pw-list?
    just took a mix of your rockyou/phpbb/john-list with a list of localized words (europea here), fired up hydra and hat a very nice time.

    thanx for your inspirations

  4. Reply


    Hash cracker is a web-service that allows you to encrypt your passwords
    or crack your hashed passwords with MD5, SHA1 or NTLM algorithms.
    You can also encode or decode texts with Base64 system.

    Video tutorial:

    1. Reply

      Ron Bowes Post author

      So you're suggesting that people enter their passwords into your site? Sounds like a bad idea to me. :)

  5. Reply

    Damian Mal

    Thanks for this, however the download looks to be 404 now.

    1. Reply

      Ron Bowes Post author

      Sorry, it was starting to get too big my server to handle. I might put together a .torrent for it, though. Stay tuned!

  6. Reply


    Excellent lists! Great resource - keep em coming.

  7. Reply


    Marisa, "blueberries" is in elitehacker.txt, english.txt, honeynet.txt, myspace.txt, and rockyou.txt.

    And Ron, thank you. If I ever meet you, I will buy you a drink.

  8. Reply

    Van Heerden

    While sorted randomly, this is coming up pretty good!

    If you are in it, pay 5 bucks and get the motherload

  9. Reply


    Hi. I was trying to access the links on your page related to password lists ( but the links arent working. Is there somewhere else I can find this info?

    1. Reply

      Ron Bowes Post author

      Sandra - try

  10. Reply


    How to crack joomla & wordpress password ??

  11. Reply

    Andi Love Password Powered by

    I need a password sooo bad for this site...

    Andi Love Password Powered by phpBB -,1,105,0

    if you have any please email me at xxxadult56 [at]

  12. Reply

    New sorted & uniq dictionary list for hashcat && jtr available on Check it out and Enjoy!

  13. Reply

    Alex Davidson

    Anyone who needs to find passwords should just check out

    you can search for any passwords for free

Leave a Reply

Your email address will not be published.