These lists are generated from historical data breaches and social engineering, focusing on what people actually use. Highly effective for brute-force/dictionary attacks.

If you don't want to build from scratch, these resources jumpstart your work:

were created, capitalizing on the popularity of teams like Flamengo or Corinthians as common password bases. Regional Slang

If auditing a Brazilian corporate environment, prioritize terms related to Brazilian culture rather than European Portuguese, as vocabulary and naming trends differ significantly between the regions.

Combining the concepts discussed, here is a practical workflow for an authorized penetration test.

Public wordlists are essential for testing the strength of Portuguese passwords against brute-force or dictionary attacks.

Early wordlists were essentially digital copies of Portuguese dictionaries. Security researchers soon realized, however, that people rarely use "pure" dictionary words. Instead, they use cultural markers. This led to the development of specialized wordlists that moved beyond the alphabet: Soccer Culture : Lists like Brazilian Soccer Teams

Brazilian targets present a unique challenge. Brazil is a massive market, and Brazilian internet users tend to create passwords based on specific local tax IDs (CPF), phone numbers with specific DDD codes (e.g., 011 for São Paulo), dates written in the format, and football slang.

Wordlists are a crucial component of password cracking, as they provide a list of potential passwords that can be used to guess a user's credentials. A well-crafted wordlist can significantly increase the chances of cracking a password, especially if it's weak or commonly used. In the context of Portuguese password wordlist work, a comprehensive wordlist can help security professionals identify vulnerabilities in passwords used by Portuguese-speaking individuals or organizations.

When deploying a Portuguese wordlist during a security audit, efficiency is paramount.

Temporarily locking an account after a certain number of failed login attempts prevents automated dictionary attacks from cycling through millions of words.

The BRDumps project is a research repository providing specialized tools and wordlists for Brazilian Portuguese passwords. In addition to wordlists, the project offers John the Ripper (JtR) rules and Hashcat rules tailored specifically to crack passwords from Brazilian data dumps, addressing local mutation patterns that generic rules might miss.

Now, apply frequency analysis. Keep only words that appear more than 5 times (common passwords). Pipe this into a final base list: