A list of the top 10,000 most-used passwords from hacked password lists.

dev-master 2017-09-16 19:16 UTC

This package is auto-updated.

Last update: 2024-04-06 15:26:20 UTC


A list of the top 10,000 most-used passwords from hacked password lists.

Mutated list was generated by installing John the Ripper and running:

john --wordlist=raw.txt --rules --stdout > raw-mutated.txt

This produces a list which starts with the top 10,000 and makes commonplace alterations to that list. This increases the size of the list from 10,000 → over 422,000.

See Also…

NOTE: This is a list of known-bad clear text passwords. For a list of known-bad password SHA-1 hashes, see



The following software is required for Bad Passwords to run:


Bundle with Composer (recommended!)

To add Bad Passwords as a Composer dependency in your composer.json file:

    "require": {
        "skyzyx/bad-passwords": ">=1.0"

And include it in your scripts:

require_once 'vendor/autoload.php';


To view the list of existing contributors, run the following command from the Terminal:

git shortlog -sne --no-merges


Here's the process for contributing:

  1. Fork Bad Passwords to your GitHub account.
  2. Clone your GitHub copy of the repository into your local workspace.
  3. Write code, fix bugs, and add tests with 100% code coverage.
  4. Commit your changes to your local workspace and push them up to your GitHub copy.
  5. You submit a GitHub pull request with a description of what the change is.
  6. The contribution is reviewed. Maybe there will be some banter back-and-forth in the comments.
  7. If all goes well, your pull request will be accepted and your changes are merged in.

Authors, Copyright & Licensing

My intention is to release all rights to this documentation and make it available under the Public Domain. Unfortunately, in the U.S. it's not quite that cut-and-dry. So, I am dual-licensing this work under CC0 and the Unlicense. You can choose whichever license you would prefer to adhere to.

To the extent possible under law, Ryan Parman has waived all copyright and related or neighboring rights to "Bad Passwords". This work is published from: United States.