10,000 Most Common Passwords

A hacker can use or generate files like this, which may readily be compiled from breaches of sites such as Ashley Madison. Usually passwords are not tried one-by-one against a system's secure server online; instead a hacker might manage to gain access to a shadowed password file protected by a one-way encryption algorithm, then test each entry in a file like this to see whether its encrypted form matches what the server has on record. The passwords may then be tried against any account online that can be linked to the first, to test for passwords reused on other sites.

This particular list originates from the OWASP SecLists Project ([1]) and is copied from its content on GitHub ([2]) to link it more conveniently from Wiki English. The OWASP project publishes its SecList software content as CC-by-SA 3.0; this page takes no position on whether the list data is subject to database copyright or public domain. It represents the top 10,000 passwords from a list of 10 million compiled by Mark Burnett; for other specific attribution see the readme file. The passwords were listed in a numerical order, but the blocks of entries and positions of some simpler entries (e.g. "experienced" at 9975 and "doom" at 9983) hint this may not be a sorted list.

To use this list you can do a search within your browser (control-F or command-F) to see whether your password comes up, without transmitting your information over the Internet. It may also be useful to browse the file to see how secure-looking a completely insecure password can appear.

Lists of the top 100,000 and 1,000,000 passwords are also available from the OWASP project. They are not duplicated here for space and because Wikipedia:Password strength requirements currently uses the number 10,000, but checking them would not be a terrible idea.

The 100 most common passwords are listed in a separate section; these may not be used as passwords.
Skip to the end

Top 100

101–10000