Where can I find good dictionaries for dictionary attacks?

Question

I’m wondering where I can find good collections of dictionaries which can be used for dictionary attacks?

I've found some through Google, but I’m interested in hearing about where you get your dictionaries from.

score 66 · Accepted Answer · edited Aug 17 '22 at 07:28

66

Nice list collected by Ron Bowes you can find here:
https://wiki.skullsecurity.org/index.php/Passwords

Other list is from InsidePro:
https://web.archive.org/web/20120207113205/http://www.insidepro.com/eng/download.shtml.

edited Aug 17 '22 at 07:28

Greg Sadetsky

103
4

answered Dec 29 '10 at 15:46

score 45 · Answer 2 · answered Jun 03 '13 at 06:24

An important one that hasn't been added to the list is the crackstation wordlist

The list contains every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.

Best thing is, its free, although you can (and should!) make a donation!

score 29 · Answer 3 · answered Dec 29 '10 at 19:17

Some additional ones to add to those already suggested

ftp://ftp.ox.ac.uk/pub/wordlists/ - Lists by language, may be an important point depending on the locations of the users...
http://www.openwall.com/passwords/wordlists/ - The openwall project lists.
While not strictly a dictionary site (although it does have some) http://sites.google.com/site/reusablesec/Home/presentations-and-papers has some good presentations on improving the performance of password crackers in general and john the ripper in particular

Either the Oxford one is now broken or not publicly available. — charles-allen, Oct 23 '17 at 17:21

score 16 · Answer 4 · edited May 11 '19 at 21:44

16

Try the CrackLib dictionaries: https://web.archive.org/web/20161225012801/http://linux.maruhn.com/sec/cracklib-dicts.html

edited May 11 '19 at 21:44

pacoverflow

262
1
10

answered Dec 29 '10 at 18:32

score 13 · Answer 5 · edited Oct 23 '17 at 21:20

13

I tested the likelihood of collisions of different hashing functions. To help test, I tried hashing

all 216,553 words in the English language. Start with those 17.7 bits.
then the list of all 2,165,530 English words with one digit after it. (21.0 bits)
then the list of all 21,655,300 English words with two digits after it. (24.4 bits)
then the list of all 524,058,260 English words with a possible capital as the first letter, and followed by zero, one, or two digits. (29.0 bits).

With one list of English words you'll cover nearly everyone's password.

Note: XKCD is always relevant

edited Oct 23 '17 at 21:20

charles-allen

103
4

answered May 14 '12 at 13:47

Ian Boyd

2,125
1
21
13

1

When cracking, these permutations (adding a digit, capitalizing) are usually done with "rules". For example, Hashcat takes a given dictionary and applies a user-defined set of rules (http://hashcat.net/wiki/doku.php?id=rule_based_attack). This allows a trade-off between disk space and processor resources. – mcgyver5 Mar 10 '14 at 12:19
2

Your second link (all words in the English language) gives a 404 now, but it has been [archived by the WayBack machine](https://web.archive.org/web/20120420175529/http://www.sitopreferito.it/html/all_english_words.html). – ComFreek Jun 07 '14 at 09:18
A list of all english words is an acceptable starting point, but not a particularly good one. For example, the very simple and very popular passwords of "123456", "asdasd" and "letmein" would not be found by an approach used in this post; you want to start with specific lists of common passwords instead of an english dictionary. – Peteris Jan 18 '17 at 11:07

score 9 · Answer 6 · edited May 11 '19 at 21:44

Another good source is here http://blog.g0tmi1k.com/2011/06/dictionaries-wordlists/

snippet:

[Analysis] Dictionaries & Wordlists
In general, it's said that using a GOOD 'dictionary' or 'wordlist' (as far as I know, they're the same!) is 'key'. But what makes them GOOD? Most people will say 'the bigger, the better'; however, this isn't always the case... (for the record this isn't my opinion on the matter - more on this later).

score 7 · Answer 7 · answered Dec 30 '10 at 10:11

You'll find lots of words in lots of languages on the download page for the English Wiktionary. enwiktionary-latest-all-titles-in-ns0.gz contains just page titles, including phrases - it might have underscores instead of spaces though. (we have English definitions of words from many languages).

And of course there's also WordNet.

(sorry but as a newbie I can only include one link)

score 7 · Answer 8 · answered May 14 '12 at 19:38

All the posts so far have great information, but remember you can always generate word lists yourself with a utility like crunch.

If you have an idea of what the password parameters are (for example, has to be 8-10 chars with only letters and numbers, no symbols), you can pipe crunch to most bruteforce programs with the tailored parameters.

score 5 · Answer 9 · answered Jan 17 '17 at 15:08

5

This is one that I have found useful over the years:

https://github.com/danielmiessler/SecLists

It includes popular passwords, fuzzing based on attack type and popular user names.

answered Jan 17 '17 at 15:08

Abe Miessler

8,155
10
44
72

Where can I find good dictionaries for dictionary attacks?

9 Answers9

Linked