Generally, the best lists are based on pwned password (real world passwords previously exposed in data breaches), such as the infamous rockyou.txt. Others, are cultivated from larger dumps of millions of passwords and boiled down to the most commonly reoccurring items.
Here is a (non-exhaustive) collection of the more important wordlists for discovery, enumeration, fuzzing, and exploitation.
Note: Kali Linux provides some password dictionary files as part of its standard installation. One of this files is located in the following location: /usr/share/wordlists/rockyou.txt.gz.
- RockYou (14,344,392 lines)
- Nmap (4,999 lines)
- Dark web 2017 (9,999 lines)
- Facebook phished (2,441 lines)
- Ashley Madison data breach (375,853 lines)
- Default passwords for services (1,243 lines)
- John the Ripper (3,106 lines)
- Cain and Abel (306,706 lines)
- Conficker worm (181 lines)
- Dates 1900-2030 (48,664 lines)
- Days (6,240 lines)
- Months (13,431 lines)
- Seasons (5,390 lines)
- WPA - over 200k (203,806 lines)
- WPA - top 4,8k (4,800 lines)
- WPA - top 447 (447 lines)
- Backup files w/ path (1,286 lines)
- Backup files only (1,015 lines)
- Common (4,613 lines)
- Directory (only one) (1,993 lines)
- Domain names to scan (17,576 lines)
- Sensitive files - unix (16 lines)
- Sensitive files - windows (7 lines)
- Subdomains (114,532 lines)
- Italian wordlist (single) (344,074 lines)
- Italian wordlist (mixed) (419 lines)
This project is licensed under the MIT License - see the LICENSE file for details.
This repository is meant to provide open source resources for educational purposes only. I don't promote malicious practices and I will not be responsible for any illegal activities.