UNIQPASS is a large password list for use with John the Ripper (JtR) wordlist mode to translate large number of hashes, e.g. MD5 hashes, into cleartext passwords. While we have had good success rate with our standard password list passwords.txt, we found that the list can be made more useful and relevant by including commonly used passwords from the recently leaked databases that have been made public. As a result, we have compiled millions of these unique passwords into UNIQPASS. Such list is especially handy for pentesters to perform comprehensive password audit and also for IT administrators to expose insecure passwords used by their users.



UNIQPASS Specifications

Version 14 released on September 30, 2013 with 241,584,732 entries
1.For use with JtR wordlist mode with --rules set
2.All passwords are unique and listed in sorted order according to their native byte values using UNIX sort command
3.192,916 of the passwords (UNIQPASS v1) came from English dictionary
4.The remaining passwords were collected from leaked databases from various websites (including major sites e.g. Sony Pictures, Gawker)
5.Max. password length is 30 characters long
6.Password may consist of a-z, 0-9, spaces and special characters ` ~ ! @ # $ % ^ & * ( ) _ - + = { [ } ] | \ : ; " ' < , > . ? /
7.UNIX end-of-line character is used as the newline character
8.Trailing spaces, trailing tabs and NULL bytes have been removed from all passwords
9.List compressed size is 428.0 MB, i.e. the downloadable size
10.The total entries, 241,584,732, is based on UNIX wc -l output

Performance
In the following test, we compare the success rate of JtR wordlist cracking mode against a list of 551,638 MD5 hashes using our standard password list passwords.txt vs. UNIQPASS v14. We use JtR 1.7.9 community-enhanced version for this test. The hashes are passwords for accounts from several leaked databases described in LulzSec (final release).

$ john --format=raw-MD5 --wordlist=passwords.txt --rules hashes.txt
..
$ john --format=raw-MD5 --show hashes.txt
..
219722 password hashes cracked, 331916 left
passwords.txt cracked 40% of the hashes using JtR wordlist mode with rules enabled.
$ john --format=raw-MD5 --wordlist=uniq.txt --rules hashes.txt
..
$ john --format=raw-MD5 --show hashes.txt
..
515043 password hashes cracked, 36595 left
UNIQPASS v14 cracked 93% of the hashes using JtR wordlist mode with rules enabled.
Upon completing a dictionary attack (wordlist mode), the next step is to resume the same session with JtR incremental mode leaving it to run for a couple hours or until we achieve a desirable yield. This can done with e.g. john --format=raw-MD5 --incremental --max-run-time=3600 hashes.txt.


Password Length Distribution
The chart below shows the password length distribution for UNIQPASS v14. Each slice represents the number of entries having the specified length.


Get a copy of UNIQPASS v14
The preview copy of UNIQPASS v14 is available for download at uniqpass_preview.txt (21MB). The complete list of UNIQPASS is available for purchase at only $12.99 USD. We accept Bitcoins where we charge the equivalent BTC amount as per current exchange rate at BTC-e.com. Alternatively, you may transfer $12.99 USD to our PayPal account at disclosure@dazzlepod.com. PayPal accepts all credit cards (Visa, MasterCard, American Express, Discover), so a PayPal account is not required. For other payment method, please contact us directly at disclosure@dazzlepod.com.

We will deliver UNIQPASS (its private download link) to you via email within 24 hours once we have confirmed your payment. We will also deliver newer copy of UNIQPASS (announced via @UNIQPASS) to the same email address for free upon request - so you only need to purchase UNIQPASS once and receive future updates for free.


Recommended Tools
Depending on your use cases, we recommend one or more of the following password recovery tools for use with UNIQPASS:

John the Ripper (JtR)
Our current default tool to audit most of the leaked hashes
http://www.openwall.com/john/
oclHashcat
De facto standard GPU-based password cracker
http://hashcat.net/oclhashcat/
hashcat-utils
Useful set of utilities to manipulate wordlist
http://hashcat.net/wiki/hashcat_utils
THC-Hydra
Fast network logon cracker
http://www.thc.org/thc-hydra/
Cain & Abel
Password recovery tool for Microsoft Operating Systems
http://www.oxid.it/cain.html
Aircrack-ng
802.11 WEP and WPA-PSK keys cracking program
http://www.aircrack-ng.org
KisMAC
Wireless stumbling and security tool for Mac OS X
http://kismac-ng.org



© 2014 Dazzlepod · Terms · Privacy

WARNING AND DISCLAIMER OF WARRANTY
We do not condone nor encourage the use of UNIQPASS to perform dictionary attack against user accounts without prior written and explicit permission from the respective owners. UNIQPASS is distributed in the hope that it will be useful, but without any warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.