Why is there a passwords.txt file on my system that’s filled with somebody else’s passwords?

Raymond Chen

A customer was doing an inventory of the files on their system, and they found files named passwords.txt that were filled with somebody else’s passwords. The same file was found among both Microsoft Teams and Microsoft Outlook’s data files. What’s going on here? Are Teams and Outlook stealing passwords?

The clue is that the passwords.txt file is in a subdirectory called ZxcvbnData. zxcvbn is the name of a password strength estimator library developed by Dropbox. The library is available on GitHub, and the passwords.txt file of the top 30,000 passwords is one of the things that zxcvbn uses to assess the strength of a proposed password. The other files in the same directory provide popular English names as well as names of popular United States television shows and movies.

But that’s not the only thing that zxcvbn considers when assessing a password’s strength. You can read their blog entry or watch their technical presentation.

So don’t panic about the passwords.txt file. It’s there to protect you from bad passwords.

Bonus chatter: Sometimes, organizations are concerned because the passwords.txt file contains unsavory words. It so happens that unsavory words are popular as passwords.