When performing brute-force attacks, it’s our first instinct to go to the current season and year, i.e., Winter20, Winter2020. But it’s important to keep in mind that many organizations use a 90-day password change window, and 90 days can be a deceptively long time. For instance, as of today, February 25, 2020, the oldest passwords in such an organization would land in the end of November. It’s possible that a user has a November19 or Fall2019 password set.
To make the task of creating weak password lists a little easier, I’ve created weakpasswords.net (and south.weakpasswords.net for our friends in the Southern Hemisphere). This site displays a list of candidate passwords for brute-force attacks based on the current date and is updated daily via a cronjob.