1.6 Billion Passwords in a Single List

Yet another big dictionary

Piotr
Piotr
Jan 26, 2019 · 1 min read

During security audits, I often need to crack some hashes. A dictionary attack is the fastest way to recover passwords but it is limited by the content of the dictionary.

I decided to build my own list of passwords that have already been used in the real world.

This work is based on:

  • dictionaries of various security tools,
  • passwords extracted from public data breaches,
  • passwords recovered from publicly available hashes.

You can download the complete dictionary here.

A small subset of that dictionary is also available. It is made 98% of the 10 million most used passwords of the Have I Been Pwned password database. Have I Been Pwned only provides hashes of passwords. The dictionary I built is able to recover more than 98 % of the hashes of the 10 million most used passwords. This smaller list is sorted by frequency.

Here are the SHA-384 checksums of the files.

34ca36ddc16e9bebf7a38fc262400657a2ede830cdfd5ff4d1eebe8fca630c708594db210333415a7c08c05f5c989aca  piotrcki-wordlist-top10m.txt.xz
a7330f67de1fb992ccc183ef924ab7f72bc643f76942037dd991e9c57cf0a25bd997ae983ac7bd7e44a118260d6de57d piotrcki-wordlist.txt.xz

Please, use this for legal purposes only.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store