Wordlist Collection
April 28, 2026 · View on GitHub
A curated collection of password wordlists, username lists, and default credentials for authorized security testing and penetration testing.
⚠️ Legal Disclaimer: These wordlists are provided strictly for security research, authorized penetration testing, and educational purposes. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing any system.
📁 Directory Structure
wordlist/
├── README.md
├── LICENSE
├── .gitignore
│
├── passwords/ # Password wordlists (one password per line)
│ ├── common.txt # General weak passwords (1.3M+ entries)
│ ├── common_small.txt # Top 1000+ most common weak passwords
│ ├── web.txt # Web application common passwords (450+)
│ ├── ssh.txt # SSH brute force passwords (79K+)
│ ├── rdp.txt # RDP common passwords (209K+)
│ ├── ftp.txt # FTP default/common passwords (410+)
│ ├── databases.txt # Database default passwords (430+)
│ ├── iot.txt # IoT/smart home/industrial default passwords (430+)
│ └── chinese_weak.txt # Chinese-context weak passwords (530+)
│
├── usernames/ # Username lists
│ ├── common.txt # General username list (82K+ entries)
│ └── admin.txt # Admin/common service account usernames (78)
│
├── defaults/ # Default credentials (structured JSON)
│ ├── ip_cameras.json # IP camera/NVR default credentials
│ ├── databases.json # Database default credentials with ports
│ ├── nas.json # NAS device default credentials
│ └── iot.json # IoT/router/networking default credentials
│
├── leaked/ # Passwords from public data breaches
│ ├── adobe_top100.txt # Top 100 from Adobe 2013 breach
│ └── README.md # Data source descriptions
│
└── tools/ # Utility scripts
├── clean.py # Wordlist cleaner (remove junk, dedupe, normalize)
├── mangler.py # Password variant generator (leet, case, suffixes)
├── generate_chinese.py # Chinese weak password generator
├── merge_dedupe.sh # Merge and deduplicate wordlists
└── wordlist_stats.py # Analyze and report wordlist statistics
🔧 Tools
clean.py - Wordlist Cleaner
Clean and validate password wordlists by removing junk data.
# Basic cleaning
python3 tools/clean.py -i dirty.txt -o clean.txt
# With length filter and control character removal
python3 tools/clean.py -i dirty.txt -o clean.txt --min-len 4 --max-len 64 --no-control
# Specify encoding
python3 tools/clean.py -i dirty.txt -o clean.txt --encoding latin-1
# Dry run (stats only)
python3 tools/clean.py -i dirty.txt -o /dev/null --dry-run
mangler.py - Password Variant Generator
Generate password variants from a base wordlist.
# Apply case + leet speak rules
python3 tools/mangler.py -i passwords/common_small.txt -o mangled.txt --rules case,leet
# Apply all rules with length limit
python3 tools/mangler.py -i passwords/common_small.txt -o mangled.txt --rules all --max-len 16
# Limit output size
python3 tools/mangler.py -i passwords/common_small.txt -o mangled.txt --rules all --limit 100000
Available rules: case, leet, numbers, special, years, reverse, prefix, all
generate_chinese.py - Chinese Password Generator
Generate Chinese-context weak passwords (pinyin, lucky numbers, names).
# Generate to default path
python3 tools/generate_chinese.py -o passwords/chinese_weak_generated.txt
# Limit output size
python3 tools/generate_chinese.py -o passwords/chinese_weak_generated.txt --limit 50000
merge_dedupe.sh - Merge & Deduplicate
Merge multiple wordlists into one sorted, deduplicated file.
# Merge multiple files
bash tools/merge_dedupe.sh -o merged.txt passwords/ssh.txt passwords/web.txt
# With length filter
bash tools/merge_dedupe.sh -o merged.txt --min-len 6 --max-len 32 passwords/*.txt
wordlist_stats.py - Wordlist Analyzer
Analyze wordlist files and show statistics.
# Analyze specific files
python3 tools/wordlist_stats.py passwords/ssh.txt passwords/web.txt
# Analyze all wordlists
python3 tools/wordlist_stats.py --all
# JSON output
python3 tools/wordlist_stats.py passwords/*.txt --json
📊 Wordlist Statistics
| File | Entries | Description |
|---|---|---|
| passwords/common.txt | 1,310,522 | General weak passwords (comprehensive) |
| passwords/common_small.txt | 1,316 | Top 1000+ most common |
| passwords/ssh.txt | 79215 | SSH brute force passwords |
| passwords/rdp.txt | 209,335 | RDP common passwords |
| passwords/web.txt | 453 | Web application passwords |
| passwords/ftp.txt | 413 | FTP default/common passwords |
| passwords/databases.txt | 429 | Database default passwords |
| passwords/iot.txt | 426 | IoT/smart device passwords |
| passwords/chinese_weak.txt | 530 | Chinese-context weak passwords |
| usernames/common.txt | 82,484 | General usernames |
| usernames/admin.txt | 78 | Admin account names |
| leaked/adobe_top100.txt | 100 | Adobe 2013 breach top 100 |
🔄 Workflow
Quick Start
# 1. Use a pre-built wordlist directly
hydra -l admin -P passwords/web.txt target http-post-form "/login:user=^USER^&pass=^PASS^"
# 2. Generate custom variants
python3 tools/mangler.py -i passwords/common_small.txt -o my_custom.txt --rules case,leet,numbers
# 3. Merge multiple sources
bash tools/merge_dedupe.sh -o custom.txt --min-len 4 passwords/web.txt passwords/ftp.txt passwords/databases.txt
# 4. Check stats
python3 tools/wordlist_stats.py custom.txt
Adding New Wordlists
- Place new
.txtfiles in the appropriate directory (passwords/,usernames/) - Run
python3 tools/clean.py -i new_file.txt -o new_file.txtto normalize - Update this README with the new entry
📝 Data Sources
Password Dictionaries
- common.txt: Curated from multiple public sources (rockyou derivatives), 1.3M+ entries
- common_small.txt: SecLists Pwdb_top-1000 + 2025-2026 breach data (NordPass, Cybernews, Specops)
- web.txt: SecLists Pwdb_top-1000 + Cybernews 2025/2026 common passwords + Paul Reynolds 2026 top 150 + lucidar.me top 299 + NordPass 2025 top 200
- ssh.txt: SecLists Pwdb_top-1000 + SecLists xato-net-10-million-usernames (common passwords) + default service credentials
- rdp.txt: RDP-specific weak passwords from original repository
- ftp.txt: SecLists Pwdb_top-1000 + FTP-specific default credentials
- databases.txt: SecLists Pwdb_top-1000 + official default credentials (MySQL, PostgreSQL, Redis, MongoDB, MSSQL, Oracle, Elasticsearch)
- iot.txt: SecLists Pwdb_top-1000 + SecLists default-passwords.csv + public device databases
- chinese_weak.txt: SecLists Pwdb_top-1000 + generated Chinese weak passwords (pinyin patterns, lucky numbers, common surnames, brand passwords, gaming passwords)
Username Lists
- common.txt: Original names list + SecLists Usernames/Names/names.txt + SecLists xato-net-10-million-usernames (top 2700+ common usernames)
- admin.txt: Common admin/service account variants
Default Credentials
- routers.json: SecLists Discovery/Web-Content/default-passwords.csv
- ip_cameras.json: SecLists + public IP camera databases
- databases.json: Official vendor documentation
- nas.json: SecLists + manufacturer defaults
- iot.json: SecLists + public IoT databases
Leaked Passwords
- adobe_top100.txt: Top 100 from the Adobe 2013 data breach (130M accounts)
🤝 Contributing
Contributions are welcome! Please:
- Fork the repository
- Add new wordlists in the appropriate directory
- Run
python3 tools/clean.pyto normalize your additions - Run
python3 tools/wordlist_stats.py --allto verify quality - Update this README
- Submit a pull request
📜 License
MIT License - see LICENSE for details.
⚖️ Responsible Use
This toolkit is designed for:
- ✅ Authorized penetration testing
- ✅ Security research and education
- ✅ Password policy auditing
- ✅ CTF competitions and training
- ❌ Unauthorized system access
- ❌ Any illegal activity