1.6 Billion Passwords in a Single List

Yet another big dictionary

During security audits, I often need to crack some hashes. A dictionary attack is the fastest way to recover passwords but it is limited by the content of the dictionary.

I decided to build my own list of passwords that have already been used in the real world.

This work is based on:

  • dictionaries of various security tools,
  • passwords extracted from public data breaches,
  • passwords recovered from publicly available hashes.

You can download the complete dictionary here.

A small subset of that dictionary is also available. It is made 98% of the 10 million most used passwords of the Have I Been Pwned password database. Have I Been Pwned only provides hashes of passwords. The dictionary I built is able to recover more than 98 % of the hashes of the 10 million most used passwords. This smaller list is sorted by frequency.

Here are the SHA-384 checksums of the files.

34ca36ddc16e9bebf7a38fc262400657a2ede830cdfd5ff4d1eebe8fca630c708594db210333415a7c08c05f5c989aca  piotrcki-wordlist-top10m.txt.xz
a7330f67de1fb992ccc183ef924ab7f72bc643f76942037dd991e9c57cf0a25bd997ae983ac7bd7e44a118260d6de57d piotrcki-wordlist.txt.xz

Please, use this for legal purposes only.