Is rockyou.txt still good enough?

As a first pass, yes. It cracks the obvious passwords in minutes. But it is 14 million entries from a 2009 breach, so anything modern or targeted needs curated lists and rules on top.

What do hashcat rules actually do?

Rules mutate each word in your list: capitalize it, append digits, swap letters for leetspeak, and so on. One word becomes hundreds of candidates, which is how you catch Password1! from the base word password.

Should I use big wordlists on bcrypt?

No. Slow hashes like bcrypt give you maybe thousands of guesses per second, so a 14-million-word list with rules would take years. For slow hashes use small, targeted lists and stop expecting miracles.

The wordlist and rules setup that actually cracks passwords

Everyone starts with rockyou.txt and most people never leave. It is fine. It will crack the genuinely terrible passwords in the first few minutes of any job, and for a lot of low-effort targets that is the whole engagement. But rockyou is a leak from 2009 with around 14 million entries, and if you are still throwing only that at a hash in 2026 you are leaving most of the crackable passwords on the table.

The list is the raw material. Rules are what turn it into coverage.

Rules multiply, and that is the entire point

A wordlist is static. The base word password is in there once. But real passwords are base words with mutations: a capital letter, a year, a bang on the end, an a swapped for @. Rules apply those transformations on the fly so one dictionary word becomes hundreds of candidates without you storing them.

hashcat -m 0 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

best64 is the sane default. Small, fast, catches the common stuff. When that comes up empty and you have throughput to spare, escalate to something heavier. OneRuleToRuleThemAll is the one most people reach for, and dive.rule if you want to be thorough and have time to burn. The cost is real: rules multiply your keyspace by the number of rules in the file, so a 50,000-rule file turns 14 million words into 700 billion candidates. On a fast hash like MD5 or NTLM that is fine. On anything salted and slow it is a fantasy.

That is the tradeoff nobody states plainly: rules are free on fast hashes and ruinous on slow ones.

Stop using rockyou on bcrypt

This is the mistake I see most. Someone identifies a bcrypt hash, fires rockyou plus OneRule at it, and walks away expecting results. bcrypt at cost factor 10 gives you maybe a few thousand guesses per second per GPU. Do the arithmetic. 14 million words times a 50,000-rule set at a few thousand per second is measured in years, not hours.

For slow hashes the strategy inverts. You want a small, high-quality, targeted list and a light rule set, and you accept that you will only get the weak passwords. The reason fast hashes fall and slow ones do not is the same reason your wordlist strategy has to change with the algorithm.

Curated lists beat bigger lists

Bigger is not better past a point. A 100GB wordlist full of random web-scraped junk wastes most of its time on candidates no human ever chose. The lists worth keeping are the curated ones built from real cracked passwords: the weakpass collections, the hashmob founds, hashesorg. They are ordered by frequency, so the likely hits come first and you can stop early when you get what you need.

Keep rockyou for the instant wins. Keep one large curated list for the second pass. That covers most of what dictionary attacks will ever get you.

Masks for the structured stuff

When the dictionary work dries up, the passwords that are left tend to be structured rather than random. Eight characters, starts with a capital, ends in two digits. That is a mask attack, not a wordlist:

hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?l?d?d

Masks are brute force with a pattern, and they only pay off when you have intelligence about the password policy. If the domain requires exactly eight characters with one uppercase and one digit, the keyspace is small enough to exhaust. Hybrid attacks (-a 6 and -a 7) bolt a mask onto a wordlist, which catches the wordlist + 2024 pattern that pure rules sometimes miss.

Build a targeted list before you give up

The single highest-value move on a real engagement is a custom list built from the target. Company name, product names, local sports teams, the current season and year. People are predictable: Spring2026!, Acme2026, Houston2024. Scrape the company website with something like cewl, mash it together with months and years, and run that small list first. It cracks the passwords that no generic wordlist will ever contain, because they were never in any breach.

Reuse your work

Every password you crack feeds the next target. Hashcat writes hits to a potfile, and --loopback re-feeds cracked passwords as new dictionary words, often catching variations across an organization where everyone landed on the same base word. Keep your potfile. Keep your custom lists per client. The second engagement at the same company is always faster, because half the passwords are reused from the first.

None of this matters if you cracked nothing because you picked the wrong algorithm. Find the mode first, confirm it against a known password, then worry about which list to run.