This repository contains password lists that each conform to a specific complexity policy. These are useful for banning common passwords when users try to set them, and may also be useful as pre-filtered wordlists for password cracking.
The policies are defined as:
- Alphanumeric - Contains at least one lowercase or uppercase character, plus at least one digit.
- Mixed Alphanumeric - Contains at least one lowercase and uppercase character, plus at least one digit.
- No Symbols - Password consists only of a-z, A-Z, 0-9
- Class Count - Password contains at least N different types of character. The four classes of character are a-z, A-Z, 0-9, and any other character (e.g. symbols).
Class count policies are things like "must contain at least two types of character from the following list: lowercase, uppercase, number, symbols".
A class count policy with a minimum count of 1 is the same as having no complexity policy at all.
These password lists were extracted from the SecLists Top 1000000 Common Passwords list.
The passwords in these lists are ordered by descending commonality.
These were extracted from the well-known "rockyou.txt" password list.
Some preprocessing was performed to remove passwords that are unlikely to be re-used elsewhere, e.g. passwords that were just rockyou URLs.
The passwords in these lists are unordered.
These were extracted from the NCSC top 100k password list, published in 2019.
The passwords in these lists are ordered by descending commonality.