Richelieu is a free list of the most common French passwords
Based on my experience as a pentester, I often had to try brute-force and dictionary-based attacks against exposed websites and services. The easiest way to do so is to use an existing list of common passwords, and to load it in a dedicated tool like hydra.
However, the best lists of common passwords (such as danielmiessler’s SecLists) do not work against French assets. The reason is simple: these passwords lists are based on the frequential analysis of huge dataleaks (like Collection #1), with mixed sources from different countries and cultures. As a result, these lists say that most common passwords are «
qwerty« , «
password« , «
letmein« , etc. But French people do not use a QWERTY keyboard nor say « let me in » to log in. We prefer «
azerty« , «
motdepasse« , or even «
This cultural difference reveals a real limit for brute-force attacks.
In order to build a better dictionary to pentest French targets, I analyzed public dataleaks and filtered all the results to target only « .fr » emails. The hypothesis here is that a « .fr » email address is linked to a French user. Even if this approach might be unperfect, the results are really interesting and accurate. This new dictionary, named « Richelieu » after the creator of the Académie française, has the following top 50:
Cultural analysis of this dictionary
An analysis of the full dictionary shows unsurprisingly that the most common French passwords are based on:
- a spatial sequence on an AZERTY keyboard (
- a logical sequence (
- a proper noun, such as a firstname, a town, a country (
- a phrase (
- or a cultural item (
Get the dictionary
DISCLAIMER: THIS DICTIONARY IS PUBLISHED FOR LEGAL PURPOSES ONLY. PLEASE DO NOT USE IN MILITARY OR SECRET SERVICE ORGANIZATIONS OR FOR ILLEGAL PURPOSES.
The full dictionary is available for free here: https://github.com/tarraschk/richelieu.