Legal disclaimer >>> The information on this site is intended to be used for legal and ethical purposes like research, education, journalism and educating the public. Our intention is to comply with any and all applicable laws. If you can provide legal advice, please let us know.

Contribute >>> Have new or missing information? See something wrong? Use the comment section at the bottom of all pages, email or Twitter.

Stay up to date >>> Follow us on Twitter.

Yay, the site is up and running. You know what they say: “Release early, then iterate!” You can look at the front page to get a feel for where I want to go with this project.

What's next? The first thing I want to do is to collect a lot of dictionaries and lists of actual user passwords used in the wild.

Good dictionaries is very important when trying to crack passwords. Not only do they serve as lists of password candidates when cracking a hash, but they are often also used as a basis for generating new password candidates (rule and hybrid attacks). That's why I'm interested in figuring out which dictionaries are good, and which are not. I'll do that by employing different dictionaries in different ways and measuring each dictionary's performance against known password lists.

The password lists will allow me to analyze how users choose their passwords. I'll then be able to deduce and measure what attacks would have been effective against those passwords. Obviously, I'll also be able to use the password lists as dictionaries in future attacks.

So if you know of a list of leaked passwords or a good dictionary that is not listed here, let me know at!