A collection of wordlists for security testing, penetration testing, and password analysis.
Note: For authorized testing only. Only use on systems you own or have permission to test.
# Clone the repository
git clone https://github.com/duyet/bruteforce-database.git
cd bruteforce-database
# Example: Test SSH login (authorized testing only!)
hydra -L usernames.txt -P 1000000-password-seclists.txt ssh://target.example.com
# Example: Web directory brute-forcing
gobuster dir -u https://example.com -w forced-browsing/all.txt
# Example: Subdomain enumeration
ffuf -u https://FUZZ.example.com -w subdomains-10000.txt- 11+ million total entries
- 135+ MB of data
- 4 main categories: Passwords, Usernames, Infrastructure, Identities
- Validated with automated CI/CD
| I need to... | Use this wordlist | Why? |
|---|---|---|
| Test common passwords | 1000000-password-seclists.txt |
Most common passwords from breach data |
| Test password policy | 8-more-passwords.txt |
Filtered for length, complexity requirements |
| Enumerate user accounts | usernames.txt |
400K+ common US usernames |
| Find hidden directories | forced-browsing/all.txt |
Comprehensive web path discovery |
| Discover subdomains | subdomains-10000.txt |
10K most common subdomain names |
| Test against massive dataset | 2151220-passwords.txt |
2.1M password compilation |
| Generate wordlist for JtR | uniqpass_v16_password.txt |
Optimized for John the Ripper |
| Test keyboard patterns | cain.txt |
Includes common patterns from Cain & Abel |
-
1000000-password-seclists.txt(1M entries, 8.5 MB)- Source: SecLists project
- Use: Initial password testing, most common passwords
-
2151220-passwords.txt(2.1M entries, 20 MB)- Source: Dazzlepod.com compilation
- Use: Comprehensive password testing
-
8-more-passwords.txt(62K entries, 629 KB)- Filters: 8+ chars, requires caps + numbers, no consecutive chars
- Use: Testing password policies with complexity requirements
-
7-more-passwords.txt(528K entries, 5 MB)- Filters: 7+ chars, numeric-only removed
- Use: Medium-complexity password policies
-
cain.txt(307K entries, 2.5 MB)- Source: Cain & Abel password cracker
- Use: Classic patterns, keyboard walks, common substitutions
-
bitcoin-brainwallet.lst(395K entries, 3.4 MB)- Source: Dictionary words used for Bitcoin brainwallets
- Use: Passphrase testing, dictionary attacks
-
38650-password-sktorrent.txt(39K entries, 309 KB)- Source: SKTorrent.eu leaked database
- Use: Real-world password patterns
uniqpass_v16_password.txt(2.1M entries, 20 MB)- Source: Optimized for John the Ripper
- Use: Hash cracking with JtR
-
usernames.txt(403K entries, 3.3 MB)- Source: US username compilation
- Use: Account enumeration, user testing
-
38650-username-sktorrent.txt(39K entries, 258 KB)- Source: SKTorrent.eu leaked database
- Use: Real-world username patterns
-
facebook-firstnames.txt(4.3M entries, 37 MB)- Source: Facebook public first names
- Use: Name-based password testing
-
us-cities.txt(21K entries, 199 KB)- Use: Location-based password testing
-
indo-cities.txt(102 entries, 1.2 KB)- Use: Regional password testing
subdomains-10000.txt(10K entries, 97 KB)
forced-browsing/ directory contains specialized wordlists for web application testing:
all.txt(43K entries) - Comprehensive file/directory listall-extensionless.txt(25K entries) - Paths without file extensionsall-dirs.txt- Directory names only
forced-browsing/cat/ - Organized by file category:
Conf/- Configuration files (.conf,.config,.htaccess,.properties)Database/- Database files (.sql,.mdb,.xml,.ini)Language/- Source code files (.php,.asp,.jsp,.java)Project/- Project files (.csproj,.pdb,.sln)
forced-browsing/context/ - Organized by context:
admin.txt- Admin panels and interfacestest.txt- Test environments and filesdebug.txt- Debug endpointserror.txt- Error pages and handlershelp.txt- Help and documentation paths- Plus many more specialized contexts
Usage Example:
# Scan for admin panels
gobuster dir -u https://target.com -w forced-browsing/context/admin.txt
# Look for config files
ffuf -u https://target.com/FUZZ -w forced-browsing/cat/Conf/conf.txt
# Comprehensive directory scan
dirsearch -u https://target.com -w forced-browsing/all.txt# John the Ripper
john --wordlist=2151220-passwords.txt hashes.txt
# Hashcat (MD5)
hashcat -m 0 -a 0 hashes.txt 1000000-password-seclists.txt
# Hydra (SSH brute force)
hydra -l admin -P 8-more-passwords.txt ssh://192.168.1.100# Directory discovery with gobuster
gobuster dir -u https://example.com -w forced-browsing/all.txt -t 50
# File discovery with specific extensions
gobuster dir -u https://example.com -w forced-browsing/all-extensionless.txt -x php,html,txt
# Fast fuzzing with ffuf
ffuf -u https://example.com/FUZZ -w forced-browsing/context/admin.txt -mc 200,301,302# Sublist3r
sublist3r -d example.com -w subdomains-10000.txt
# ffuf for subdomain fuzzing
ffuf -u https://FUZZ.example.com -w subdomains-10000.txt -mc 200
# gobuster DNS mode
gobuster dns -d example.com -w subdomains-10000.txt# Test for valid usernames (authorized only!)
./enum4linux -U target.com -w usernames.txt
# Check username availability
curl https://api.example.com/check-username -d "username=FUZZ" -w usernames.txtQuick test (< 1 minute):
- Use
8-more-passwords.txt(62K entries) - Fast, focuses on complex passwords
Standard test (5-10 minutes):
- Use
1000000-password-seclists.txt(1M entries) - Industry standard, best coverage-to-time ratio
Comprehensive test (30+ minutes):
- Use
2151220-passwords.txt(2.1M entries) - Maximum coverage
Policy-specific testing:
- Strong policy (8+ chars, complexity):
8-more-passwords.txt - Medium policy (7+ chars):
7-more-passwords.txt - Weak/no policy:
1000000-password-seclists.txt
Quick scan:
forced-browsing/context/<specific>.txt(targeted)
Standard scan:
forced-browsing/all-dirs.txt(directories only)
Comprehensive scan:
forced-browsing/all.txt(everything)
File-specific:
forced-browsing/cat/<type>/(by file extension)
- John the Ripper - Password cracking
- Hashcat - Advanced password recovery
- Hydra - Network login cracker
- Gobuster - Directory/file & DNS busting
- ffuf - Fast web fuzzer
- Dirsearch - Web path scanner
- Burp Suite - Web application testing
This repository includes automation tools:
# Validate all wordlists
python3 scripts/validate.py
# Validate specific file
python3 scripts/validate.py --file passwords.txt
# Deduplicate wordlists
python3 scripts/deduplicate.py passwords.txt
# Deduplicate all
python3 scripts/deduplicate.py --allEvery commit and pull request is automatically:
- Validated for encoding and format
- Checked for file corruption
- Scanned for sensitive data
- Analyzed for statistics
- Verified for integrity
See .github/workflows/validate.yml
The manifest.json file contains metadata for every wordlist:
- Entry counts and unique entries
- File sizes and checksums
- Encoding information
- Validation status
Generated automatically on every commit.
We welcome contributions! See CONTRIBUTING.md for detailed guidelines.
- Wordlist is unique (not a duplicate)
- Source is documented
- File is UTF-8 encoded
- Deduplicated and validated
- README updated with entry
- Commit message is descriptive
# Before submitting PR
python3 scripts/validate.py
python3 scripts/deduplicate.py --allIMPORTANT: These wordlists are for authorized security testing only.
- Penetration testing with written authorization
- Security research on your own systems
- Educational purposes in controlled environments
- Password policy analysis and improvement
- Academic research with ethical approval
- Unauthorized access to any system
- Testing systems without explicit permission
- Malicious hacking or cybercrime
- Harassment or targeting individuals
- Any illegal activity under applicable laws
By using these wordlists, you agree to use them responsibly and legally.
See CLAUDE.md for our full philosophy on ethical use.
Read CLAUDE.md for our principles:
- Quality over quantity
- Ethical use only
- Full transparency
- Community first
- Evolution, not stagnation
Thank you to everyone who has contributed to this project:
- Van-Duyet Le - @duyet - Creator & Maintainer
- Taufiq Sumadi - @taufiqsumadi
- San Sayidul Akdam Augusta - @sanAkdam
- Dani Vijay - @danivijay - Forced-browsing wordlists
Want to contribute? See CONTRIBUTING.md!
This project is licensed under the MIT License.
You are free to:
- Use for any purpose (commercial or non-commercial)
- Modify and create derivatives
- Distribute and share
Requirements:
- Include the license and copyright notice
- Use responsibly and legally
If you find this project useful:
- Star this repository on GitHub
- Report issues to help us improve
- Contribute new wordlists or improvements
- Share with the security community
- Sponsor via GitHub Sponsors
- SecLists - Collection of security lists
- PayloadsAllTheThings - Penetration testing payloads
- FuzzDB - Attack patterns database
- OWASP Testing Guide - Web security testing methodology
See CHANGELOG.md for version history and updates.
"Quality is not an act, it's a habit." - Aristotle
Made with ❤️ by the security community, for the security community.
