Statistically Likely Usernames
Wordlists for statistically likely usernames, optimized for horizontal password attacks and security testing.
What is Statistically Likely Usernames?
Statistically Likely Usernames is a collection of wordlists and tools for generating username lists optimized for security testing and penetration testing. It solves the problem of inefficient username guessing by providing statistically ordered lists based on real-world name data, enabling horizontal password attacks that try one password across many likely usernames.
Penetration testers, security researchers, and red teamers who need efficient username enumeration and password attack tools for authorized security assessments.
Developers choose this project for its proven effectiveness in live attacks, statistically optimized lists that maximize success with minimal guesses, and flexibility to generate custom lists for specific username formats or organizational conventions.
Overview
Wordlists for creating statistically likely username lists for use in password attacks and security testing. Used for pentesting for over 10 years with amazing results.
Use Cases
Best For
- Conducting horizontal password attacks to avoid account lockouts
- Username enumeration during penetration tests of applications or networks
- Generating custom username lists for specific organizational naming conventions
- Creating date-of-birth wordlists for password reset function testing
- Efficient first-pass security testing with compact, interleaved username lists
- Security training and simulated attack scenarios requiring realistic username data
Not Ideal For
- Teams building user registration systems that require real-time, unique username generation
- Organizations with strict data privacy policies prohibiting use of name datasets from sources like Facebook
- Security professionals needing integrated, GUI-based tools for automated penetration testing workflows
- Projects where username formats are highly non-standard or require dynamic adaptation based on live data
Pros & Cons
Pros
Designed for trying one password across thousands of likely usernames, minimizing guess count and avoiding account lockouts, as highlighted in the README's attack philosophy.
Lists are generated from real-world data like US Census and Facebook, sorted by popularity to maximize success rates in live penetration tests, following Pareto curves for efficiency.
Provides base lists and command-line examples for creating tailored username lists, such as truncated formats or email addresses, while maintaining statistical order and removing duplicates.
The README states these lists have been tested extensively in authorized penetration tests with rapid and high success rates, validating their practical effectiveness.
Awesome Mix volumes interleave multiple common formats in a single pass, offering broad coverage with fewer guesses (~25,800 to 49,400 entries), ideal for initial security assessments.
Cons
The project admits it may not suffice for all cases, relying on pre-defined common formats and requiring manual customization for unusual naming conventions, which can be time-consuming.
All tools and list generation require familiarity with command-line utilities like awk and tr, lacking a graphical interface or simple scripts, which may deter less technical users.
Uses datasets from Facebook (extracted in 2010) and US Census that may not be up-to-date or compliant with modern privacy regulations like GDPR, without clear update mechanisms.
Frequently Asked Questions
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.