| Wordlist Path | Size | Verification Score | Best For |
|---------------|------|--------------------|-----------|
| Passwords/Common-Credentials/10-million-password-list-top-1000000.txt | 15MB | ★★★★★ | Modern password cracking |
| Passwords/Leaked-Databases/rockyou.txt | 134MB | ★★★★☆ | Legacy systems (over 50% of entries are obsolete) |
| Passwords/Common-Credentials/best110.txt | 2KB | ★★★☆☆ | Lockout-avoiding spray |
Verification note: rockyou.txt is widely known but contains many passwords from 2009 MySpace and RockYou gaming forums. Use the top 100,000 from HaveIBeenPwned (not in SecLists) for better coverage of 2024 leaks.
Save as verify_seclists.sh:
#!/bin/bash WORDLIST=$1
echo "[*] Checking: $WORDLIST" echo "Lines: $(wc -l < "$WORDLIST")" echo "Size: $(du -h "$WORDLIST" | cut -f1)" echo "Encoding: $(file -b "$WORDLIST")" echo "First 5 lines:" head -5 "$WORDLIST"
Usage:
chmod +x verify_seclists.sh
./verify_seclists.sh SecLists/Passwords/xato-net-10-million-passwords-10000.txt
Verification has two main goals: authenticity (ensuring the wordlist came from the official SecLists source) and safety (ensuring no malicious content exists). Below are the steps to achieve both. seclists github wordlists verified
Here is how to utilize these verified wordlists with common tools.
Fuzzing for Directories (using ffuf):
ffuf -u https://target.com/FUZZ -w ./SecLists/Discovery/Web-Content/common.txt
Brute Forcing (using hydra):
hydra -l admin -P ./SecLists/Passwords/Common-Credentials/10k-most-common.txt ssh://target-ip
ffuf -u https://target.com/FUZZ -w /path/to/SecLists/Fuzzing/XSS/XSS-40.txt -ac
# Generate SHA256 of a wordlist
sha256sum SecLists/Passwords/rockyou.txt.txt
ffuf -w SecLists/Discovery/Web-Content/common.txt -u https://target.com/FUZZ