Crafting the “Perfect” WordList

I want to start post by pointing out that the word perfect is in quotes for a reason. This is because there is never a truly perfect wordlist for hacking passwords.  There can never be a guarantee on whether a word list will be successful in matching a password hash, but brute forcing and password cracking essentially rely on the quality of the word list being used.

The goal is to focus on what we already know. That is, lists of most commonly used passwords. These could be public information from blogs, leaked (hacked) passwords from real websites, dictionary’s, or words that have been tested on your own that have proved to be useful. Think of these lists as a tool you can keep on your virtual tool-belt, they are something you always want to bring with you to any job. A construction worker is never caught without having a hammer at a job site, so a hacker should always have a quality word-lists at their disposal too . In fact, I think ill call this this wordlist “H4mm3r”.

Recipe to forge the H4mm3r

  • Download lists from valid Data Sources
  • Combine sources into single entity
  • Sort words by occurrence

Step 1: Download lists from valid Data Sources

Just like I stated above, there can be many places online that claim to have good wordlists. But most are poorly made and contain garbage words that just waste your time. Make sure to find existing wordlists hosted on sites that have a community following that have been proven to be successful. The wordlists found online are also usually compressed into .zip files or .bz2 files so you will have to un-compress them before they are used. Or if you want to skip all that, I have taken the time to un-compress all the files myself and there is the option to download the list at the bottom of this post. Here are the sources that will be used in H4mm3R.

Step 2: Combine Sources into Single Entity

After you have downloaded all the files from various websites, it is time to combine them all into a master word list. This can be done either by finding automated scripts online, or manually copy+pasting the contents yourself. This is by far the most time consuming task, and can become very hardware intensive when dealing with files containing millions of lines.

Step 3: Clean and sort the master word list

Even after everything has been copied into a single file, there is still a lot of unnecessary garbage left inside. Word lists should be used after small-scale brute forcing of all combinations of words up to 6 char in length. As well as brute forcing all combinations of numbers.

  • Eliminate all passwords that are 6 chars or less in length, and eliminate any passwords that are more than 23 chars in length. Brute-forcing takes care of the small words, and we don’t care or want to waste our time an large passwords. Typical brute forcing (All possible combinations of a given set of characters) can take care of 6 char passwords in a maximum time of about 2 hours.
  • Eliminate all passwords that are only numbers. A brute force of only numbers can crack a 10char password only containing numbers in about 30 seconds, not too safe…Many wireless phone hotspot networks use a phone number as their password, so running through a list of all possible numbers, 10 char in length “Ex: 555-123-9876” will likely get you access)
  • Delete all white space/empty lines. This can save the password cracker a lot of confusion if it is cleaned up before used.
  • Sort it alphbetically A-Z. Many password crackers are more efficient when organized in this manner.

Save your work often!

Download the complete “H4mm3r” Word List (Contains additional sources)

If you do not feel like taking the time to follow the steps listed in this post or video, you can skip all that and download the complete word list directly! There are now two versions available for download. H4mm3r-V1 is a quick and efficient word list that finds many common passwords in a short amount of time. H4mm3r-V2 is a powerhouse compiled list from almost every known source I have come across on the internet.

If you have any questions please feel free to comment below or reach out to me directly.

Thank you for all the support. Happy Hacking

-Bryan