RockYou Is Dead
Every penetration tester’s first move after dumping hashes is the same: run them against RockYou. It’s been the default wordlist since 2009 — 14.3 million passwords extracted from a single breach of a social gaming site. Kali ships it. Every hashcat tutorial references it. It’s the starting point for offline cracking, password spraying, and WiFi handshake attacks. How good is RockYou though? As far as I can tell, nobody has ever empirically measured RockYou’s coverage against modern breach data. I decided to fix that. ...