| Account Security Contrary to what many people claim, no one has ever 'hacked into our site' and accessed user information, accounts or usernames. The ONLY means by which a user can have his/her account stolen by someone else is when that user inadvertently or intentionally gives out their account password. People like to say they have been hacked, as it makes them feel a little better than admitting they have fallen for a scam, or just simply given away their password to the first person that asked them for it. However, there are a number of things you can do to help keep your account secure. |
- Choosing a password - When you choose a password, don't go for something really obvious like password, 12345, letmein, neopets or pokemon. Using a combination of letters and numbers makes it a lot harder for people to guess. You can change your password at any time by clicking on 'Help' in the yellow side bar. Then click on the 'Change your Password' button. When you choose a new password be sure to write it down somewhere safe in case you forget it.
- Keep your password secret - Never tell anybody your password, no matter who they say they are. There are many nasty people out there who would love to get their hands on your hard earned Neopoints and they will pretend to be staff, have a secret code, anything to try to get you to tell them. No Neopets staff member will ever contact you via hotmail, AIM, MSN Messenger.
The only Neomails you will get from Neopets staff will be official warnings from theneopetsteam if you do anything wrong. We will NEVER ask for information via Neomail. If anyone asks you for their password, send us what they said as well as any information you have about them using this form. - Log out - If you use Neopets in a public place such as a school or library, be sure to log out when you are done. To log out, simply click on 'Log Out' on the yellow side bar.
- Don't be greedy - If something looks too good to be true, chances are it is. There are no secret codes to become rich over night, there is no magic web page that gives you 1 million neopoints and fish neggs cannot be made by anything. Nobody has ever cracked, hacked, broken into or tricked Neopets and no one will EVER be selling Faeries for 1NP. If someone ever asks you to give them something, or buy something from their shop in return for something else, do not give it to them. There is no guarantee you will get anything in return. Instead, report them using this form, and we will stop them scamming anybody else.
The Trading Post is the ONLY secure place to exchange items. If you are feeling generous, then use the Money Tree where there are many needy people looking for donations. - Look before you click - If EVER you see a log in page, make sure that the URL (address at the top of the page) says http://www.neopets.com/loginpage.phtml, if it says something else, it is a fake log in page set up by someone else to try to get hold of your password. If you enter your username and password, your details will then be emailed to them and they will have full access to your account. Whenever you see anything that looks suspicious, please report it using this form. We will then get the page taken down and freeze the person who set it up.
If you have already entered your details, just click on 'Help' in the yellow side bar, and then click on the 'Change your password' and change your password immediately.
- Keep your email safe - If you give away the password to your email account, they can then get your Neopets password sent to them. Many free email sites do have security issues and it is wise to change your password frequently and choose a combination of letters and numbers.
- Don't share accounts - No matter how trust worthy a person may seem when you chat to them online, never give them your password. There is no need to share an account with anybody, if you do it is at your own risk and you must understand that they can easily change the password and steal your account.
Aug 31, 2018 The Neopets representative on Facebook is the Community Manager, NOT a Neopets Support member, athough they ocassionally pass on ticket information to the Support team at their discretion. The primary function of their page is to promote Neopets on social media, not to resolve account-related issues. Neopets Cheats is your #1 site for Cheats, Hacks, Programs, Tips, Freebies and Guides. Become a Neo-Millionaire with the ease of our tips and help site! Come browse our wide selection of basic game guides and learn the way Neopets.com works. Find out how to get avatars, solve puzzles, and get freebies at the click of a mouse.
ALWAYS use different passwords for each account and community you join. DO NOT use the same password on ANY neopets forum or community that is the same as your email password. You WILL get hacked and there is NOTHING you can do to when they have your email account. So I haven't been on my neopets account in a couple of years I wanna say. I really wanna get back into it and if anything just play the stock market here and there. I tried recovering my account using the 'Forgot password' option but the thing to send a password is apparently disabled now. Jul 16, 2010 I've tried that link before. It doesn't exist anymore. Yes, I fail, I'm immoral, say what you want. All in all, you don't know me and I don't know you, so why be rude? I might be a really nice person and you might be too, but arguing over the computer isn't going to work. Anyway, I still want a password cracker.
Is there anything I can do to stop this?
Yes, we take any attempt to obtain a person's password very seriously. By reporting anybody that asks you for your password, or to give them something for free, we will be able to stop them from contacting anybody else.
With fake log in pages or any page that claims to be a revolutionary neopoint making program, the faster we get to know about it, the faster we can take it down and freeze the offender's accounts.
- 2Leaked passwords
- 3Miscellaneous non-hacking dictionaries
Password dictionaries
These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
| Name | Compressed | Uncompressed | Notes |
| John the Ripper | john.txt.bz2 (10,934 bytes) | n/a | Simple, extremely good, designed to be modified |
| Cain & Abel | cain.txt.bz2 (1,069,968 bytes) | n/a | Fairly comprehensive, not ordered |
| Conficker worm | conficker.txt.bz2 (1411 bytes) | n/a | Used by conficker worm to spread -- low quality |
| 500 worst passwords | 500-worst-passwords.txt.bz2 (1868 bytes) | n/a | |
| 370 Banned Twitter passwords | twitter-banned.txt.bz2 (1509 bytes) | n/a |
Leaked passwords
Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.
The best use of these is to generate or test password lists.
Note: The dates are approximate.
| Name | Compressed | Uncompressed | Date | Notes |
| Rockyou | rockyou.txt.bz2 (60,498,886 bytes) | n/a | 2009-12 | Best list available; huge, stolen unencrypted |
| Rockyou with count | rockyou-withcount.txt.bz2 (59,500,255 bytes) | n/a | ||
| phpbb | phpbb.txt.bz2 (868,606 bytes) | n/a | 2009-01 | Ordered by commonness Cracked from md5 by Brandon Enright (97%+ coverage) |
| phpbb with count | phpbb-withcount.txt.bz2 (872,867 bytes) | n/a | ||
| phpbb with md5 | phpbb-withmd5.txt.bz2 (4,117,887 bytes) | n/a | ||
| MySpace | myspace.txt.bz2 (175,970 bytes) | n/a | 2006-10 | Captured via phishing |
| MySpace - with count | myspace-withcount.txt.bz2 (179,929 bytes) | n/a | ||
| Hotmail | hotmail.txt.bz2 (47,195 bytes) | n/a | Unknown | Isn't clearly understood how these were stolen |
| Hotmail with count | hotmail-withcount.txt.bz2 (47,975 bytes) | n/a | ||
| Faithwriters | faithwriters.txt.bz2 (39,327 bytes) | n/a | 2009-03 | Religious passwords |
| Faithwriters - with count | faithwriters-withcount.txt.bz2 (40,233 bytes) | n/a | ||
| Elitehacker | elitehacker.txt.bz2 (3,690 bytes) | n/a | 2009-07 | Part of zf05.txt |
| Elitehacker - with count | elitehacker-withcount.txt.bz2 (3,846 bytes) | n/a | ||
| Hak5 | hak5.txt.bz2 (16,490 bytes) | n/a | 2009-07 | Part of zf05.txt |
| Hak5 - with count | hak5-withcount.txt.bz2 (16,947 bytes) | n/a | ||
| Älypää | alypaa.txt.bz2 (5,178 bytes) | n/a | 2010-03 | Finnish passwords |
| alypaa - with count | alypaa-withcount.txt.bz2 (6,013 bytes) | n/a | ||
| Facebook (Pastebay) | facebook-pastebay.txt.bz2 (375 bytes) | n/a | 2010-04 | Found on Pastebay; appear to be malware-stolen. |
| Facebook (Pastebay) - w/ count | facebook-pastebay-withcount.txt.bz2 (407 bytes) | n/a | ||
| Unknown porn site | porn-unknown.txt.bz2 (30,600 bytes) | n/a | 2010-08 | Found on angelfire.com. No clue where they originated, but clearly porn site. |
| Unknown porn site - w/ count | porn-unknown-withcount.txt.bz2 (31,899 bytes) | n/a | ||
| Ultimate Strip Club List | tuscl.txt.bz2 (176,291 bytes) | n/a | 2010-09 | Thanks to Mark Baggett for finding! |
| Ultimate Strip Club List - w/ count | tuscl-withcount.txt.bz2 (182,441 bytes) | n/a | ||
| [Facebook Phished] | facebook-phished.txt.bz2 (14,457 bytes) | n/a | 2010-09 | Thanks to Andrew Orr for reporting |
| Facebook Phished - w/ count | facebook-phished-withcount.txt.bz2 (14,941 bytes) | n/a | ||
| Carders.cc | carders.cc.txt.bz2 (8,936 bytes) | n/a | 2010-05 | |
| Carders.cc - w/ count | carders.cc-withcount.txt.bz2 (9,774 bytes) | n/a | ||
| Singles.org | singles.org.txt.bz2 (50,697 bytes) | n/a | 2010-10 | |
| Singles.org - w/ count | singles.org-withcount.txt.bz2 (52,884 bytes) | n/a | ||
| Unnamed financial site | (reserved) | (reserved) | 2010-12 | |
| Unnamed financial site - w/ count | (reserved) | (reserved) | ||
| Gawker | (reserved) | (reserved) | 2010-12 | |
| Gawker - w/ count | (reserved) | (reserved) | ||
| Free-Hack.com | (reserved) | (reserved) | 2010-12 | |
| Free-Hack.com w/count | (reserved) | (reserved) | ||
| Carders.cc (second time hacked) | (reserved) | (reserved) | 2010-12 | |
| Carders.cc w/count (second time hacked) | (reserved) | (reserved) |
Statistics
I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:
Miscellaneous non-hacking dictionaries
These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.
| Name | Compressed | Uncompressed | Notes |
| English | english.txt.bz2 (1,368,101 bytes) | n/a | My combination of a couple lists, from Andrew Orr, Brandon Enright, and Seth |
| German | german.txt.bz2 (2,371,487 bytes) | n/a | Compiled by Brandon Enright |
| American cities | us_cities.txt.bz2 (77,081 bytes) | n/a | Generated by RSnake |
| 'Porno' | porno.txt.bz2 (7,158,285 bytes) | n/a | World's largest porno password collection! Created by Matt Weir |
| Honeynet | honeynet.txt.bz2 (889,525 bytes) | n/a | From a honeynet run by Joshua Gimer |
| Honeynet - w/ count | honeynet-withcount.txt.bz2 (901,868 bytes) | n/a | |
| File locations | file-locations.txt.bz2 (1,724 bytes) | n/a | Potential logfile locations (for LFI, etc). Thanks to Seth! |
| Fuzzing strings (Python) | fuzzing-strings.txt.bz2 (276 bytes) | n/a | Thanks to Seth! |
| PHPMyAdmin locations | phpmyadmin-locations.txt.bz2 (304 bytes) | n/a | Potential PHPMyAdmin locations. Thanks to Seth! |
| Web extensions | web-extensions.txt.bz2 (117 bytes) | n/a | Common extensions for Web files. Thanks to dirb! |
| Web mutations | web-mutations.txt.bz2 (177 bytes) | n/a | Common 'mutations' for Web files. Thanks to dirb! |
DirBuster has some awesome lists, too -- usernames and filenames.
Facebook lists
These are the lists I generated from this data. Some are more useful than others as password lists. All lists are sorted by commonness.
Crack Password Neopets App
If you want a bunch of these, I highly recommend using the torrent. It's faster, and you'll get them all at once.
| Name | Compressed | Uncompressed | Date | Notes |
| Full names | facebook-names-unique.txt.bz2 (479,332,623 bytes) | n/a | 2010-08 | |
| Full names - w/ count | facebook-names-withcount.txt.bz2 (477,274,173 bytes) | n/a | ||
| First names | facebook-firstnames.txt.bz2 (16,464,124 bytes) | n/a | 2010-08 | |
| First names - w/ count | facebook-firstnames-withcount.txt.bz2 (73,134,218 bytes) | n/a | ||
| Last names | facebook-lastnames.txt.bz2 (21,176,444 bytes) | n/a | 2010-08 | |
| Last names - w/ count | facebook-lastnames-withcount.txt.bz2 (21,166,232 bytes) | n/a | ||
| First initial last names | facebook-f.last.txt.bz2 (67,110,776 bytes) | n/a | 2010-08 | |
| First initial last names - w/ count | facebook-f.last-withcount.txt.bz2 (66,348,431 bytes) | n/a | ||
| First name last initial | facebook-first.l.txt.bz2 (37,463,798 bytes) | n/a | 2010-08 | |
| First name last initial | facebook-first.l-withcount.txt.bz2 (36,932,295 bytes) | n/a |