bruteforce-database
Bruteforce Database - Wordlists for Ethical Security Testing
A collection of wordlists for security testing, penetration testing, and password analysis.
Note: For authorized testing only. Only use on systems you own or have permission to test.
Quick Start
# Clone the repository
git clone https://github.com/duyet/bruteforce-database.git
cd bruteforce-database
# Example: Test SSH login (authorized testing only!)
hydra -L usernames.txt -P 1000000-password-seclists.txt ssh://target.example.com
# Example: Web directory brute-forcing
gobuster dir -u https://example.com -w forced-browsing/all.txt
# Example: Subdomain enumeration
ffuf -u https://FUZZ.example.com -w subdomains-10000.txt
What’s Inside
Stats
- 11+ million total entries
- 135+ MB of data
- 4 main categories: Passwords, Usernames, Infrastructure, Identities
- Validated with automated CI/CD
Use Cases
| I need to… | Use this wordlist | Why? |
|---|---|---|
| Test common passwords | 1000000-password-seclists.txt |
Most common passwords from breach data |
| Test password policy | 8-more-passwords.txt |
Filtered for length, complexity requirements |
| Enumerate user accounts | usernames.txt |
400K+ common US usernames |
| Find hidden directories | forced-browsing/all.txt |
Comprehensive web path discovery |
| Discover subdomains | subdomains-10000.txt |
10K most common subdomain names |
| Test against massive dataset | 2151220-passwords.txt |
2.1M password compilation |
| Generate wordlist for JtR | uniqpass_v16_password.txt |
Optimized for John the Ripper |
| Test keyboard patterns | cain.txt |
Includes common patterns from Cain & Abel |
Available Wordlists
Password Dictionaries
General Purpose
1000000-password-seclists.txt(1M entries, 8.5 MB)- Source: SecLists project
- Use: Initial password testing, most common passwords
2151220-passwords.txt(2.1M entries, 20 MB)- Source: Dazzlepod.com compilation
- Use: Comprehensive password testing
Filtered Sets
8-more-passwords.txt(62K entries, 629 KB)- Filters: 8+ chars, requires caps + numbers, no consecutive chars
- Use: Testing password policies with complexity requirements
7-more-passwords.txt(528K entries, 5 MB)- Filters: 7+ chars, numeric-only removed
- Use: Medium-complexity password policies
Specialized
cain.txt(307K entries, 2.5 MB)- Source: Cain & Abel password cracker
- Use: Classic patterns, keyboard walks, common substitutions
bitcoin-brainwallet.lst(395K entries, 3.4 MB)- Source: Dictionary words used for Bitcoin brainwallets
- Use: Passphrase testing, dictionary attacks
38650-password-sktorrent.txt(39K entries, 309 KB)- Source: SKTorrent.eu leaked database
- Use: Real-world password patterns
Tool-Specific
uniqpass_v16_password.txt(2.1M entries, 20 MB)- Source: Optimized for John the Ripper
- Use: Hash cracking with JtR
Usernames & Identities
usernames.txt(403K entries, 3.3 MB)- Source: US username compilation
- Use: Account enumeration, user testing
38650-username-sktorrent.txt(39K entries, 258 KB)- Source: SKTorrent.eu leaked database
- Use: Real-world username patterns
facebook-firstnames.txt(4.3M entries, 37 MB)- Source: Facebook public first names
- Use: Name-based password testing
Geographic Data
us-cities.txt(21K entries, 199 KB)- Use: Location-based password testing
indo-cities.txt(102 entries, 1.2 KB)- Use: Regional password testing
Infrastructure Testing
subdomains-10000.txt(10K entries, 97 KB)
Forced Browsing / Directory Discovery
forced-browsing/ directory contains specialized wordlists for web application testing:
all.txt(43K entries) - Comprehensive file/directory listall-extensionless.txt(25K entries) - Paths without file extensionsall-dirs.txt- Directory names only
Categorized by File Type
forced-browsing/cat/ - Organized by file category:
Conf/- Configuration files (.conf,.config,.htaccess,.properties)Database/- Database files (.sql,.mdb,.xml,.ini)Language/- Source code files (.php,.asp,.jsp,.java)Project/- Project files (.csproj,.pdb,.sln)
Context-Based Paths
forced-browsing/context/ - Organized by context:
admin.txt- Admin panels and interfacestest.txt- Test environments and filesdebug.txt- Debug endpointserror.txt- Error pages and handlershelp.txt- Help and documentation paths- Plus many more specialized contexts
Usage Example:
# Scan for admin panels
gobuster dir -u https://target.com -w forced-browsing/context/admin.txt
# Look for config files
ffuf -u https://target.com/FUZZ -w forced-browsing/cat/Conf/conf.txt
# Comprehensive directory scan
dirsearch -u https://target.com -w forced-browsing/all.txt
Usage Examples
Password Cracking
# John the Ripper
john --wordlist=2151220-passwords.txt hashes.txt
# Hashcat (MD5)
hashcat -m 0 -a 0 hashes.txt 1000000-password-seclists.txt
# Hydra (SSH brute force)
hydra -l admin -P 8-more-passwords.txt ssh://192.168.1.100
Web Application Testing
# Directory discovery with gobuster
gobuster dir -u https://example.com -w forced-browsing/all.txt -t 50
# File discovery with specific extensions
gobuster dir -u https://example.com -w forced-browsing/all-extensionless.txt -x php,html,txt
# Fast fuzzing with ffuf
ffuf -u https://example.com/FUZZ -w forced-browsing/context/admin.txt -mc 200,301,302
Subdomain Enumeration
# Sublist3r
sublist3r -d example.com -w subdomains-10000.txt
# ffuf for subdomain fuzzing
ffuf -u https://FUZZ.example.com -w subdomains-10000.txt -mc 200
# gobuster DNS mode
gobuster dns -d example.com -w subdomains-10000.txt
Account Enumeration
# Test for valid usernames (authorized only!)
./enum4linux -U target.com -w usernames.txt
# Check username availability
curl https://api.example.com/check-username -d "username=FUZZ" -w usernames.txt
Decision Guide: Which Wordlist?
For Password Testing
Quick test (< 1 minute):
- Use
8-more-passwords.txt(62K entries) - Fast, focuses on complex passwords
Standard test (5-10 minutes):
- Use
1000000-password-seclists.txt(1M entries) - Industry standard, best coverage-to-time ratio
Comprehensive test (30+ minutes):
- Use
2151220-passwords.txt(2.1M entries) - Maximum coverage
Policy-specific testing:
- Strong policy (8+ chars, complexity):
8-more-passwords.txt - Medium policy (7+ chars):
7-more-passwords.txt - Weak/no policy:
1000000-password-seclists.txt
For Web Testing
Quick scan:
forced-browsing/context/<specific>.txt(targeted)
Standard scan:
forced-browsing/all-dirs.txt(directories only)
Comprehensive scan:
forced-browsing/all.txt(everything)
File-specific:
forced-browsing/cat/<type>/(by file extension)
Tools That Work With These Wordlists
Password Cracking
- John the Ripper - Password cracking
- Hashcat - Advanced password recovery
- Hydra - Network login cracker
Web Testing
- Gobuster - Directory/file & DNS busting
- ffuf - Fast web fuzzer
- Dirsearch - Web path scanner
- Burp Suite - Web application testing
Subdomain Discovery
Automation & Quality
This repository includes automation tools:
Validation Tools
# Validate all wordlists
python3 scripts/validate.py
# Validate specific file
python3 scripts/validate.py --file passwords.txt
# Deduplicate wordlists
python3 scripts/deduplicate.py passwords.txt
# Deduplicate all
python3 scripts/deduplicate.py --all
CI/CD Pipeline
Every commit and pull request is automatically:
- Validated for encoding and format
- Checked for file corruption
- Scanned for sensitive data
- Analyzed for statistics
- Verified for integrity
See .github/workflows/validate.yml
Manifest
The manifest.json file contains metadata for every wordlist:
- Entry counts and unique entries
- File sizes and checksums
- Encoding information
- Validation status
Generated automatically on every commit.
Contributing
We welcome contributions! See CONTRIBUTING.md for detailed guidelines.
Quick Contribution Checklist
- Wordlist is unique (not a duplicate)
- Source is documented
- File is UTF-8 encoded
- Deduplicated and validated
- README updated with entry
- Commit message is descriptive
Running Validation Locally
# Before submitting PR
python3 scripts/validate.py
python3 scripts/deduplicate.py --all
Ethics & Responsible Use
IMPORTANT: These wordlists are for authorized security testing only.
Acceptable Use
- Penetration testing with written authorization
- Security research on your own systems
- Educational purposes in controlled environments
- Password policy analysis and improvement
- Academic research with ethical approval
Unacceptable Use
- Unauthorized access to any system
- Testing systems without explicit permission
- Malicious hacking or cybercrime
- Harassment or targeting individuals
- Any illegal activity under applicable laws
By using these wordlists, you agree to use them responsibly and legally.
See CLAUDE.md for our full philosophy on ethical use.
Project Philosophy
Read CLAUDE.md for our principles:
- Quality over quantity
- Ethical use only
- Full transparency
- Community first
- Evolution, not stagnation
Contributors
Thank you to everyone who has contributed to this project:
- Van-Duyet Le - @duyet - Creator & Maintainer
- Taufiq Sumadi - @taufiqsumadi
- San Sayidul Akdam Augusta - @sanAkdam
- Dani Vijay - @danivijay - Forced-browsing wordlists
Want to contribute? See CONTRIBUTING.md!
License
This project is licensed under the MIT License.
You are free to:
- Use for any purpose (commercial or non-commercial)
- Modify and create derivatives
- Distribute and share
Requirements:
- Include the license and copyright notice
- Use responsibly and legally
Support This Project
If you find this project useful:
- Star this repository on GitHub
- Report issues to help us improve
- Contribute new wordlists or improvements
- Share with the security community
- Sponsor via GitHub Sponsors
Related Resources
- SecLists - Collection of security lists
- PayloadsAllTheThings - Penetration testing payloads
- FuzzDB - Attack patterns database
- OWASP Testing Guide - Web security testing methodology
Changelog
See CHANGELOG.md for version history and updates.
“Quality is not an act, it’s a habit.” - Aristotle
Made with ❤️ by the security community, for the security community.