rockyou.txt has 116,992 downloads. Rank C. 7.54% crack rate on NTLM hashes. The most downloaded wordlist in the world is one of the worst. Here's what actually works.
MITRE ATT&CK: T1110.002 — Brute Force: Password Cracking
I run the same test every time I dump hashes from an AD engagement. The results don't change. rockyou misses what actually cracks in corporate environments — because corporate passwords don't look like consumer passwords from 2009.
The data below comes from weakpass.com's public benchmarks, reproducible by anyone. The rankings are not opinions. They are measured crack rates against real NTLM hashes at defined time limits.
The Benchmark Data
| Wordlist | Rank | Crack Rate | NTLM Speed | Size |
|---|---|---|---|---|
| rockyou.txt | C | 7.54% | 0m | 133 MB |
| hashmob.net_2025.medium | S | 15.42% | 0m | 128 MB |
| kaonashi.txt | B | 23.79% | 5m | 9 GB |
| all-h.txt | S | 38.50% | 16m | 28 GB |
| all_in_one.txt | B | 41.40% | 2h 57m | 317 GB |
Source: weakpass.com (public benchmark data, reproducible independently)
The first thing most people notice: all_in_one.txt has the highest crack rate but only ranks B. all-h.txt is 11x faster for 2.9% less coverage and ranks S. Crack rate per unit of time is what matters in an engagement — not absolute coverage.
By Scenario: Which Wordlist to Use and When
Fast first pass — hashmob.net_2025.medium
Same size as rockyou (128 MB). Same NTLM speed (0 minutes). Double the crack rate (15.42% vs 7.54%). Rank S.
This is compiled from recent breach data — Hashmob's public corpus — which skews toward corporate credentials rather than 2009 consumer accounts. The difference is immediately visible in results. Where rockyou cracks personal account passwords, hashmob.medium cracks corporate account passwords.
I start every cracking session here before launching anything bigger. The time cost is zero. The improvement over rockyou is consistent and significant. Download: weakpass.com
Maximum efficiency — all-h.txt
Rank S. 38.50% crack rate. 16 minutes. 28 GB.
Compiled from real breached credentials across four sources: Hashes.org, Hashmob, Hashkiller, and Hashpwn. The combination covers credential patterns from different breach types, industries, and time periods. This breadth is what makes it effective against corporate environments where passwords follow rotation policies and naming conventions.
For 2.9% less total coverage compared to all_in_one.txt, it runs 11x faster. In most engagements, this is the wordlist I use for the primary cracking pass. The time-to-value ratio is unmatched.
Maximum coverage — all_in_one.txt
41.40% crack rate. Rank B. 317 GB. 3 hours.
Yes, lower rank than all-h despite higher coverage. The ranking reflects efficiency. Use this when you have time at the end of an engagement and need to squeeze every possible cracked credential out of the hash dump. Not the primary tool — the final sweep.
Kerberoasting — The-Viper-One
Service account passwords follow different patterns than user account passwords. They tend to be older, more predictable, and frequently set by sysadmins who reuse across service accounts. Service accounts often predate the organization's current password policy. They are rarely rotated unless something breaks.
The-Viper-One is built specifically for service account cracking. It has pulled passwords in real environments that all-h missed — not because the password was obscure, but because it matched a pattern specific to service account naming conventions that general-purpose lists do not cover well.
For Kerberoasting engagements, this is a required addition to the standard workflow. Source: github.com/The-Viper-One
Spanish environments — CSL-LABS + hackingyseguridad
Local naming patterns, Spanish words, saints' days, football clubs, regional references. These crack accounts that global lists miss entirely.
Spanish corporate environments have predictable patterns: organization name variants, Spanish keyboard character substitutions, regional references, and date formats tied to local calendar events. A global wordlist compiled from English-language breaches will not contain these patterns in useful density.
If you are assessing Spanish-speaking organizations, skipping these lists means leaving cracked credentials on the table. The gap is not marginal.
Sources: github.com/CSL-LABS/CrackingWordLists and github.com/hackingyseguridad/diccionarios
The Workflow I Actually Run
Three steps, in order. Start fast, escalate if needed.
# Step 1: Fast pass — 0 minutes, ~15% cracked
hashcat -m 1000 hashes.txt hashmob.net_2025.medium
# Step 2: Efficiency pass — 16 minutes, ~38.5% total
hashcat -m 1000 hashes.txt all-h.txt
# Step 3: Full coverage — 3 hours, ~41.4% (only if needed)
hashcat -m 1000 hashes.txt all_in_one.txtMost engagements stop at Step 2. The jump from Step 2 to Step 3 is 3 hours of GPU time for under 3% additional coverage. That math rarely justifies itself unless you have a specific high-value target that hasn't cracked yet.
For Kerberoasting hashes, the mode changes. TGS-REP hashes are slower to crack than NTLM:
# RC4 (etype 23) — mode 13100
hashcat -m 13100 kerberoast.hashes all-h.txt
# AES (etype 17/18) — significantly slower
# mode 19600 for AES-128, 19700 for AES-256
hashcat -m 19600 kerberoast_aes.hashes hashmob.net_2025.mediumAES Kerberoast hashes are expensive. Start with hashmob.medium on AES tickets rather than all-h — the time cost of all-h on AES-128 is substantially higher than on NTLM. Crack what you can fast, then decide whether to escalate.
Hashcat Optimization
Before running anything, verify your GPU is detected and configure the session correctly:
# Check available GPU
hashcat -I
# Always use optimized kernels (-O) for NTLM
hashcat -m 1000 -O hashes.txt wordlist.txt
# Add rules for common mutations — seasonal patterns, number appending
hashcat -m 1000 -O hashes.txt all-h.txt -r OneRuleToRuleThemStill.rule
# Resume an interrupted session
hashcat --restoreThe -O flag (optimized kernels) is not optional for NTLM. It trades some password length coverage for a significant speed increase on hashes that fit within normal password length ranges. Corporate passwords almost always do. Enable it by default.
OneRuleToRuleThemStill covers the most common mutation patterns: seasonal capitalization, number appending, symbol substitution. When a wordlist alone doesn't crack a password, the mutation is almost always one of these patterns. Adding a rule is a second pass that costs minutes and frequently yields additional credentials.
Why rockyou Persists
rockyou has 116,992 downloads because it ships with Kali Linux by default. Not because it is good.
hashmob.medium is the same file size, the same NTLM crack speed, and double the crack rate. The swap takes two seconds to execute and is worth it every time.
The persistence of rockyou in pentester workflows is a tooling default masquerading as a methodology choice. The default gets used because it is already there. Nobody benchmarked it; they inherited it. Once you run the numbers — and weakpass.com has run the numbers publicly — there is no argument for starting with rockyou over hashmob.medium. Same cost. Better result.
Corporate passwords do not look like consumer passwords from 2009 data breaches. They follow rotation policies, naming conventions, and seasonal patterns. The wordlists that crack corporate environments are compiled from recent corporate breach data — not the breach that produced rockyou.
The organizations you are assessing have gone through multiple forced password resets since 2009. Their current password patterns reflect the current decade's corporate password policies. Your wordlist should reflect the same.
ADscan and Hash Collection
ADscan collects and saves all hashes to the workspace automatically during an engagement. Kerberoasting TGS hashes, SAM/LSA hashes, and DCSync output are all captured and stored per-session.
The adscan deliver command (PRO) includes each cracked credential in the evidence section with full context: which account, which attack path it appeared on, and what the downstream impact is. Cracked credentials are linked to the specific vulnerabilities that exposed them.
Running 2 or more AD engagements per year? Request PRO beta access — free for 90 days.
Summary
The default wordlist ships with Kali because defaults have to exist. hashmob.medium ships with a Rank S rating and double the crack rate at the same file size. Start there.
For maximum efficiency, all-h.txt at 16 minutes and 38.5% coverage is the correct primary pass in most engagements. For Kerberoasting, add The-Viper-One. For Spanish environments, add CSL-LABS and hackingyseguridad before you call the pass complete.
The data is public. The workflow is repeatable. The only thing that changes is which hashes you bring to the session.