A curated collection of password wordlists, username lists, and default credentials for authorized security testing and penetration testing.
⚠️ Legal Disclaimer: These wordlists are provided strictly for security research, authorized penetration testing, and educational purposes. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing any system.
wordlist/
├── README.md
├── LICENSE
├── .gitignore
│
├── passwords/ # Password wordlists (one password per line)
│ ├── common.txt # General weak passwords (1.3M+ entries)
│ ├── common_small.txt # Top 1000+ most common weak passwords
│ ├── web.txt # Web application common passwords (450+)
│ ├── ssh.txt # SSH brute force passwords (79K+)
│ ├── rdp.txt # RDP common passwords (209K+)
│ ├── ftp.txt # FTP default/common passwords (410+)
│ ├── databases.txt # Database default passwords (430+)
│ ├── iot.txt # IoT/smart home/industrial default passwords (430+)
│ └── chinese_weak.txt # Chinese-context weak passwords (530+)
│
├── usernames/ # Username lists
│ ├── common.txt # General username list (82K+ entries)
│ └── admin.txt # Admin/common service account usernames (78)
│
├── defaults/ # Default credentials (structured JSON)
│ ├── ip_cameras.json # IP camera/NVR default credentials
│ ├── databases.json # Database default credentials with ports
│ ├── nas.json # NAS device default credentials
│ └── iot.json # IoT/router/networking default credentials
│
├── leaked/ # Passwords from public data breaches
│ ├── adobe_top100.txt # Top 100 from Adobe 2013 breach
│ └── README.md # Data source descriptions
│
└── tools/ # Utility scripts
├── clean.py # Wordlist cleaner (remove junk, dedupe, normalize)
├── mangler.py # Password variant generator (leet, case, suffixes)
├── generate_chinese.py # Chinese weak password generator
├── merge_dedupe.sh # Merge and deduplicate wordlists
└── wordlist_stats.py # Analyze and report wordlist statistics
Clean and validate password wordlists by removing junk data.
# Basic cleaning
python3 tools/clean.py -i dirty.txt -o clean.txt
# With length filter and control character removal
python3 tools/clean.py -i dirty.txt -o clean.txt --min-len 4 --max-len 64 --no-control
# Specify encoding
python3 tools/clean.py -i dirty.txt -o clean.txt --encoding latin-1
# Dry run (stats only)
python3 tools/clean.py -i dirty.txt -o /dev/null --dry-run
Generate password variants from a base wordlist.
# Apply case + leet speak rules
python3 tools/mangler.py -i passwords/common_small.txt -o mangled.txt --rules case,leet
# Apply all rules with length limit
python3 tools/mangler.py -i passwords/common_small.txt -o mangled.txt --rules all --max-len 16
# Limit output size
python3 tools/mangler.py -i passwords/common_small.txt -o mangled.txt --rules all --limit 100000
Available rules: case, leet, numbers, special, years, reverse, prefix, all
Generate Chinese-context weak passwords (pinyin, lucky numbers, names).
# Generate to default path
python3 tools/generate_chinese.py -o passwords/chinese_weak_generated.txt
# Limit output size
python3 tools/generate_chinese.py -o passwords/chinese_weak_generated.txt --limit 50000
Merge multiple wordlists into one sorted, deduplicated file.
# Merge multiple files
bash tools/merge_dedupe.sh -o merged.txt passwords/ssh.txt passwords/web.txt
# With length filter
bash tools/merge_dedupe.sh -o merged.txt --min-len 6 --max-len 32 passwords/*.txt
Analyze wordlist files and show statistics.
# Analyze specific files
python3 tools/wordlist_stats.py passwords/ssh.txt passwords/web.txt
# Analyze all wordlists
python3 tools/wordlist_stats.py --all
# JSON output
python3 tools/wordlist_stats.py passwords/*.txt --json
| File | Entries | Description |
|---|---|---|
| passwords/common.txt | 1,310,522 | General weak passwords (comprehensive) |
| passwords/common_small.txt | 1,316 | Top 1000+ most common |
| passwords/ssh.txt | 79215 | SSH brute force passwords |
| passwords/rdp.txt | 209,335 | RDP common passwords |
| passwords/web.txt | 453 | Web application passwords |
| passwords/ftp.txt | 413 | FTP default/common passwords |
| passwords/databases.txt | 429 | Database default passwords |
| passwords/iot.txt | 426 | IoT/smart device passwords |
| passwords/chinese_weak.txt | 530 | Chinese-context weak passwords |
| usernames/common.txt | 82,484 | General usernames |
| usernames/admin.txt | 78 | Admin account names |
| leaked/adobe_top100.txt | 100 | Adobe 2013 breach top 100 |
# 1. Use a pre-built wordlist directly
hydra -l admin -P passwords/web.txt target http-post-form "/login:user=^USER^&pass=^PASS^"
# 2. Generate custom variants
python3 tools/mangler.py -i passwords/common_small.txt -o my_custom.txt --rules case,leet,numbers
# 3. Merge multiple sources
bash tools/merge_dedupe.sh -o custom.txt --min-len 4 passwords/web.txt passwords/ftp.txt passwords/databases.txt
# 4. Check stats
python3 tools/wordlist_stats.py custom.txt
.txt files in the appropriate directory (passwords/, usernames/)python3 tools/clean.py -i new_file.txt -o new_file.txt to normalizeContributions are welcome! Please:
python3 tools/clean.py to normalize your additionspython3 tools/wordlist_stats.py --all to verify qualityMIT License - see LICENSE for details.
This toolkit is designed for: - ✅ Authorized penetration testing - ✅ Security research and education - ✅ Password policy auditing - ✅ CTF competitions and training - ❌ Unauthorized system access - ❌ Any illegal activity
$ claude mcp add wordlist \
-- python -m otcore.mcp_server <graph>