Skip to main content
passwords.txt contains 1,497 password entries structured to cover the full spectrum of weak credential patterns found in real-world breaches and CTF lab targets. The first ~660 entries are human-readable passwords; the remainder are systematic patterns generated from a small vocabulary of common base words combined with numbers and symbols.
These passwords represent genuinely weak credentials. Understanding why they fail is the goal. Never reuse them on any live system.

Pattern breakdown

Plain English words that appear in every major breach dataset. Examples from passwords.txt:
PasswordNotes
dragonTop-10 most breached password of all time
monkeyConsistently common across breach dumps
footballSports-themed, extremely common
passwordStill appears in millions of breaches
letmeinHuman-readable, trivially guessable
sunshinePositive-word passwords remain popular
batmanPop-culture passwords are widely used
masterCommon privileged-sounding word
welcomeDefault greeting, widely used in corporate accounts
secretIronic: one of the most common “hidden” passwords
Passwords where users substitute letters with numbers or symbols to satisfy complexity rules — a well-known and ineffective strategy.
PasswordSubstitution pattern
Admin123Capitalised word + trailing digits
P@ssw0rda→@, o→0 — textbook leet-speak
D0ck3r123Product name with o→0, e→3
MyP@ssw0rdPossessive prefix + leet substitutions
Str0ngP@ss”Strong” ironically written with substitutions
Pa55w0rd!Double substitution + trailing symbol
r00tP@ss!Root-flavoured leet password
Adm1n1str4t0rFull word leet-ified
Sup3rUs3rRole + leet digits
Sup3rS3cur3!”Secure” spelled insecurely
Passwords that combine a product or technology name with a simple number or symbol suffix. These are common defaults or first-time passwords set by administrators.
PasswordService reference
wordpress1WordPress default-style
wpadminWordPress admin shorthand
docker123Docker-specific
D0ck3r123Docker leet variant
K8sClust3rKubernetes cluster
J3nk1ns!Jenkins CI
G1tHub2024GitHub with year
N4g10s123Nagios monitoring
Z4bb1x!Zabbix monitoring
Spl#nk123Splunk SIEM
Gr4f4n4!Grafana dashboards
D4t4d0g!Datadog APM
T3rr4f0rm!Terraform IaC
D4t4b4s3!Generic database
Passwords specifically tailored to the CTF and security-lab context, including unusual capitalisations and non-standard special character placement.
PasswordNotes
4nsib13!Leet encoding of “ansible” + !
Ub#ntu2204Ubuntu 22.04 release reference
C0nt41n3r!Container-oriented lab password
CorrectHorseBatteryStapleXKCD-style passphrase
Tr0ub4dor&3XKCD reference passphrase
BackupAdm1nBackup admin role
PowerUs3r!Power-user role
F1r3w4ll!Firewall leet
S3cur1ty!Security leet
L3tM31n!”Let me in” leet
Passwords built by appending a year to a common word — a pattern users adopt when forced to change passwords periodically.
PasswordPattern
password2024word + current year
summer2024season + year
spring2024season + year
winter2024season + year
fall2024season + year
may2024month + year
D3vOps2024role + year
G1tHub2024service + year
password2023word + previous year
winter2023season + previous year
The second half of passwords.txt (entries ~665–1,497) consists of programmatically generated passwords that combine a base word (pass, secure, access, login, change, temp, user, data, system, network, secret, test) with a symbol (!, @, #, $) or year suffix and a random 2–4 digit number. These model real-world passwords created by scripts or password managers without sufficient entropy.
PasswordStructure
pass!796base + ! + number
secure$729base + $ + number
access@886base + @ + number
login#565base + # + number
change2024960base + year + number
network123370base + 123 + number
temp2024382base + year + number
data$594base + $ + number
secret#891base + # + number
system!692base + ! + number

Sample entries

The table below shows a cross-section of entries from different pattern families.
PasswordPattern family
dragonDictionary word
footballDictionary word
letmeinDictionary word
Admin123Leet-speak / complexity variant
P@ssw0rdLeet-speak / complexity variant
D0ck3r123Leet-speak / complexity variant
Sup3rUs3rLeet-speak / complexity variant
wordpress1Service-specific
wpadminService-specific
J3nk1ns!Service-specific leet
K8sClust3rService-specific leet
4nsib13!CTF / lab pattern
Ub#ntu2204CTF / lab pattern
C0nt41n3r!CTF / lab pattern
password2024Year-suffixed
summer2024Year-suffixed
D3vOps2024Year-suffixed leet
pass!796Systematic symbol pattern
secure$729Systematic symbol pattern
network123370Systematic base+number

Security notes

Every entry in passwords.txt demonstrates at least one known weakness:
  • Predictability — dictionary words, names, and pop-culture references are tried first by every credentialed attack tool.
  • Superficial complexity — substituting a→@ or o→0 adds no meaningful entropy; crackers include these rules by default in tools like hashcat.
  • Short length — passwords under 12 characters are vulnerable to offline GPU cracking even when hashed with bcrypt.
  • Incremental patterns — appending a year (password2024) or a 3-digit number (pass!796) is widely modelled in wordlists and rule files.
  • Product names — service-flavoured passwords (wordpress1, jenkins123) are the first entries tried against the matching service.
A credential resists brute-force attacks when it combines:
  1. Length — 16 characters or more.
  2. Unpredictability — generated randomly, not based on words or patterns.
  3. Uniqueness — a different password for every service.
  4. MFA — a second factor makes a stolen password alone insufficient.
Use a password manager to generate and store credentials that meet these criteria.

Using this wordlist

WPScan

wpscan --url http://TARGET/lab/ \
  --usernames users.txt \
  --passwords passwords.txt \
  --password-attack xmlrpc \
  --max-threads 50
See the WPScan guide for full options and rate-limiting recommendations.

Hydra

hydra -L users.txt -P passwords.txt TARGET http-post-form \
  "/lab/xmlrpc.php:<?xml version='1.0'?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>^USER^</string></value></param><param><value><string>^PASS^</string></value></param></params></methodCall>:Incorrect username or password" \
  -t 50
See the Hydra guide for form parameter tuning and throttle settings.
For a faster first pass, use the first 664 entries (the human-readable section) before running the full list. Pipe through head -664 passwords.txt to extract them.

Build docs developers (and LLMs) love

Get started for freeTalk to us