You shouldn’t use raw MD5 or SHA1 password hashes for storing authentication info, you should absolutely always use a randomized salt (bonus points for using something like Blowfish or PBKDF2 with a high number of iterations).

I was playing with the BozoCrack utility, which mines Google for MD5 hashes, and found a list of the Top 500 Worst Passwords of All Time. Not all of them were found by BozoCrack, so here’s a definitive list…

Hashes of The Top 500 Worst Passwords of All Time in MD5, SHA1, SHA256, and SHA512.

Originally published .