Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Aug 2020 08:21:12 -0800
From: Royce Williams <>
Subject: Re: any experience with hasheshorg2019 wordlist?

Hello, Albert -

On Tue, Aug 18, 2020 at 7:17 AM Albert Veli <> wrote:

> Hello, I have not used that list. But the site had
> many leaks of live hashes and I suspect the wordlist you mention is a
> collection of cracked hashes from the live ones. As you can see on the
> site it had a failure (hard drive?) and is currently down.

>From my read of s3's blog posts, the previous server ended up having bad
RAM, which was slowly corrupting the Cassandra database. The database is
being reconstructed on new hardware, which takes quite a bit of time (and
has to be interleaved with other activities, as time allows).

A static version of the site, including all of the found lists, is
currently available at

> Typically if you want statistics it is better to use rockyou since it
> has a big collection of all real passwords, while the only
> has cracked ones and is missing maybe 10% of the hardest passwords.
> That way the statistics gets skewed and only reflect the weakest 90%
> of the passwords.

I'll have to disagree with you there. :) The founds contain 100%
of RockYou - as well as 100% of other similar plaintext leaks (such as the
more recent LiveJournal leak) - due to their presence in other lists (such
as the Have I Been Pwned corpus). Since these were cracked using those
original plaintexts, they are fully represented.

The leaks on are from a variety of sources, platforms, and time
periods - and therefore a variety of demographics / cultures / countries.

Also, the crack rate for fast hashes is much higher - on the order of 99%
and up for many leaks based on fast hashes. And the success rate is
constantly going up, as new leaks are made public elsewhere and are used as
raw material to attack old lists.

For these reasons, the superset of all "founds" is one of the
most efficient broad-spectrum attack wordlists (that is publicly and freely
available) for real human passwords.

(The "junk" founds are those founds that are less likely to be
human-generated passwords, but are also very useful as a later pass, for
cleaning up non-human-generated founds in target hashes.)


> On Tue, Aug 18, 2020 at 2:18 PM Johny Krekan <>
> wrote:
> >
> > Hello, after some time I went to and I have found
> > hashesorg2019, which seems quite new and big. Do you have any experience
> > with this wordlist (success in finding passwords). Do you think that it
> > could contain many new passwords or is it recompilation of old ones?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.