At its core, this file is a —a collection of candidate passwords used for dictionary attacks. Unlike randomly generated brute-force attempts (e.g., aaaaa , aaaab ), dictionary attacks leverage actual human-chosen passwords.
Many passwords incorporate birth years (1980–2000), sports teams ( yankees , liverpool ), or pop culture references ( pokemon , starwars ). This predictability allows attackers to tailor wordlists to a target demographic. xato-net-10-million-passwords.txt
Passwords/Common-Credentials · kali/master - seclists - GitLab At its core, this file is a —a
| Rank | Password | Prevalence Notes | |------|----------|------------------| | 1 | 123456 | Appears hundreds of thousands of times | | 2 | password | Nearly as common | | 3 | 12345678 | | | 4 | qwerty | Keyboard sequences | | 5 | abc123 | Simple alphanumeric | This predictability allows attackers to tailor wordlists to
After deduplicating and cleaning the data, Burnett released a list of the observed across these breaches. The filename became iconic: xato-net-10-million-passwords.txt , often hosted on GitHub, security research portals, and pentesting frameworks like SecLists.
Let’s look at the raw statistics of the file: