I work in computer security. The following were recently shared in one of the threat intel channels I follow.
Rather lame, but it’s what Hyatt Hotel prohibits as passwords in their network: https://www.hyattconnect.com/files/passwordpolicy/dictionary.txt
This is claimed to be the largest collection of actual passwords ever assembled.
The download link on the web page given by the link above is very scary (if you can even find it). I downloaded the .gz file, decompressed it, and packaged it up as a .zip file here: http://www.joehuffman.org/misc/RockYou2021.zip
My company has a credential stuffing protection product, and the thing that held up offering it was persuading the company lawyers that there was no way to take our stuff and actually use it to feed a credential stuffing attack.
The hard part was explaining to lawyers what a “one-way cryptographic hash” was, and why you can’t run it backwards to get original plaintext usernames and passwords.
Now, that password list from Hilton doesn’t have matching usernames, but it is nothing less than an absolute gift to bad actors that don’t want to pay bitcoin on the darkweb to get a password package. What a bunch of morons!
Then again, if there weren’t a lot of morons programming their web applications with a database full of passwords in plaintext, just assuming they wouldn’t get hacked, I wouldn’t have my nicely paid job fixing their garbage.
Password lists like this are incredibly useful to defenders. Using the PowerShell module DSInternals, plus the well-known rockyou list and https://haveibeenpwned, I perform password checks in our company regularly, to great effect..
This new list will prove very useful indeed, so thanks for this.
Kurt
After several failed attempts to set up a Verizon account…must use at least one non alphanumeric, not long enough (enough with the penis jokes, must be because I like guns), etc… I made one final attempt… Password: #FuckYouVerizon.0 DENIED. Reason given…”Password must not be too easy to guess.” Wish I had taken a screenshot