[asyncscrum]

The rockyou.com insight was new to me. I hadn't heard of this breach somehow. I was wondering how they had 32m users and read some more on Wikipedia and they had Facebook apps and some MySpace plugins.

From Wikipedia

> In December 2009, RockYou experienced a data breach resulting in the exposure of over 32 million user accounts. This resulted from storing user data in an unencrypted database (including user passwords in plain text instead of using a cryptographic hash) and not patching a ten-year-old SQL vulnerability. RockYou failed to provide a notification of the breach to users and miscommunicated the extent of the breach

[capableweb]

Fun fact: rockyou.txt by now is probably one of the most common/famous wordlists out there, used for doing various types of dictionary attacks and the entire list ships by default with lots of tools, including Kali Linux which is a common distribution for pentesting.

[lucb1e]

> one of the most common/famous wordlists out there, used for doing various types of dictionary attacks and the entire list ships by default with lots of tools

Famous, ships by default, agree, but actually used? It's really low quality, I've mostly seen it used for CTFs: because it is so common, the organizers / challenge makers think picking a password from this list is fair game for a challenge where the trick is to crack some user password hash without requiring proper cracking hardware. In the real world, it can be a starting point but it's not really used much anymore.

Things like the linkedin list and newer lists are more accurate, especially when combined with rule sets that add additional transformations (add an(other) exclamation mark to a password, change o to zero, combinations of these things, etc.)