UNIQPASS is a large password list for use with John the Ripper (JtR) wordlist mode to translate large number of hashes, e.g. MD5 hashes, into cleartext passwords. While we have had good success rate with our standard password list passwords.txt, we found that the list can be made more useful and relevant by including commonly used passwords from the recently leaked databases that have been made public. As a result, we have compiled millions of these unique passwords into UNIQPASS. Such list is especially handy for pentesters to perform comprehensive password audit and also for IT administrators to expose insecure passwords used by their users.
UNIQPASS Specifications
| Version 13 released on May 6, 2013 with 153,056,394 entries | |
|---|---|
| 1. | For use with JtR wordlist mode with --rules set |
| 2. | All passwords are unique and listed in sorted order according to their native byte values using UNIX sort command |
| 3. | 192,916 of the passwords (UNIQPASS v1) came from English dictionary |
| 4. | The remaining passwords were collected from leaked databases from various websites (including major sites e.g. Sony Pictures, Gawker) |
| 5. | Max. password length is 30 characters long |
| 6. | Password may consist of a-z, 0-9, spaces and special characters ` ~ ! @ # $ % ^ & * ( ) _ - + = { [ } ] | \ : ; " ' < , > . ? / |
| 7. | UNIX end-of-line character is used as the newline character |
| 8. | Trailing spaces, trailing tabs and NULL bytes have been removed from all passwords |
| 9. | List compressed size is 306.6 MB, i.e. the downloadable size |
| 10. | The total entries, 153,056,394, is based on UNIX wc -l output |
| 11. | There are 2,147,483,647 entries upon applying JtR default mangling rules with john --wordlist=uniq.txt --rules --stdout | unique mangled.lst |
Performance
In the following test, we compare the success rate of JtR wordlist cracking mode against a list of 551,638 MD5 hashes using our standard password list passwords.txt vs. UNIQPASS v13. We use JtR 1.7.9 community-enhanced version for this test. The hashes are passwords for accounts from several leaked databases described in LulzSec (final release).
$ john --format=raw-MD5 --wordlist=passwords.txt --rules hashes.txt .. $ john --format=raw-MD5 --show hashes.txt .. 219722 password hashes cracked, 331916 left
$ john --format=raw-MD5 --wordlist=uniq.txt --rules hashes.txt .. $ john --format=raw-MD5 --show hashes.txt .. 515011 password hashes cracked, 36627 left
john --format=raw-MD5 --incremental --max-run-time=3600 hashes.txt.
Password Length Distribution The chart below shows the password length distribution for UNIQPASS v13. Each slice represents the number of entries having the specified length.
Get a copy of UNIQPASS v13
The complete list of UNIQPASS is available for purchase at only $12.99 USD. We accept Bitcoins where we charge the equivalent BTC amount as per current exchange rate at Mt.Gox. Alternatively, you may transfer $12.99 USD to our PayPal account at disclosure@dazzlepod.com. For other payment method, please contact us directly at disclosure@dazzlepod.com. See uniqpass_preview.txt (19.3MB) for a preview of UNIQPASS v13.
Bitcoin Payment
We will deliver UNIQPASS (its private download link) to you via email within 24 hours once we have confirmed your payment. We will also deliver newer copy of UNIQPASS (announced via @UNIQPASS) to the same email address for free upon request - so you only need to purchase UNIQPASS once and receive future updates for free.
Recommended Tools
Depending on your use cases, we recommend one or more of the following password recovery tools for use with UNIQPASS: