diff --git a/django/contrib/auth/common-passwords.txt.gz b/django/contrib/auth/common-passwords.txt.gz
index 78d490df5a..87cdd596f4 100644
Binary files a/django/contrib/auth/common-passwords.txt.gz and b/django/contrib/auth/common-passwords.txt.gz differ
diff --git a/django/contrib/auth/password_validation.py b/django/contrib/auth/password_validation.py
index 4c26e88ac8..7a64e62697 100644
--- a/django/contrib/auth/password_validation.py
+++ b/django/contrib/auth/password_validation.py
@@ -162,8 +162,8 @@ class CommonPasswordValidator:
     Validate whether the password is a common password.
 
     The password is rejected if it occurs in a provided list, which may be gzipped.
-    The list Django ships with contains 1000 common passwords, created by Mark Burnett:
-    https://xato.net/passwords/more-top-worst-passwords/
+    The list Django ships with contains 20000 common passwords, created by
+    Royce Williams: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
     """
     DEFAULT_PASSWORD_LIST_PATH = os.path.join(
         os.path.dirname(os.path.realpath(__file__)), 'common-passwords.txt.gz'
diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt
index 0125118de6..1e74ed8742 100644
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@@ -491,7 +491,7 @@ This example enables all four included validators:
   eight.
 * ``CommonPasswordValidator``, which checks whether the password occurs in a
   list of common passwords. By default, it compares to an included list of
-  1000 common passwords.
+  20,000 common passwords.
 * ``NumericPasswordValidator``, which checks whether the password isn't
   entirely numeric.
 
@@ -531,13 +531,17 @@ Django includes four validators:
 
     Validates whether the password is not a common password. This converts the
     password to lowercase (to do a case-insensitive comparison) and checks it
-    against a list of 1000 common password created by `Mark Burnett
-    <https://web.archive.org/web/20150315154609/https://xato.net/passwords/more-top-worst-passwords/>`_.
+    against a list of 20,000 common password created by `Royce Williams
+    <https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7>`_.
 
     The ``password_list_path`` can be set to the path of a custom file of
     common passwords. This file should contain one lowercase password per line
     and may be plain text or gzipped.
 
+    .. versionchanged:: 2.1
+
+        In older versions, a list of 1,000 common passwords is used.
+
 .. class:: NumericPasswordValidator()
 
     Validates whether the password is not entirely numeric.