UNIQPASS is a large password list for use with John the Ripper (JtR) wordlist mode to translate large number of hashes, e.g. MD5 hashes, into cleartext passwords. While we have had good success rate with our standard password list passwords.txt, we found that the list can be made more useful and relevant by including commonly used passwords from the recently leaked databases that have been made public. As a result, we have compiled millions of these unique passwords into UNIQPASS. Such list is especially handy for pentesters to perform comprehensive password audit and also for IT administrators to expose insecure passwords used by their users.


Version 18 released on March 8, 2017 with 363,124,316 entries
1.For use with JtR wordlist mode with --rules set
2.All passwords are unique and listed in sorted order according to their native byte values using UNIX sort command
3.192,916 of the passwords (UNIQPASS v1) came from English dictionary
4.The remaining passwords were collected from leaked databases from various websites (including major sites e.g. Sony Pictures, Gawker)
5.Max. password length is 30 characters long
6.Password may consist of a-z, 0-9, spaces and special characters ` ~ ! @ # $ % ^ & * ( ) _ - + = { [ } ] | \ : ; " ' < , > . ? /
7.UNIX end-of-line character is used as the newline character
8.Trailing spaces, trailing tabs and NULL bytes have been removed from all passwords
9.List compressed size is 773.0 MB, i.e. the downloadable size
10.The total unmangled entries, 363,124,316, is based on UNIX wc -l output
11.There are 6,592,137,118 entries upon applying JtR default mangling rules with john --wordlist=uniq.txt --rules --stdout | unique mangled.lst


Use the public API endpoint to check for known password using 6,592,137,118 entries from UNIQPASS v18. This endpoint is suited for use as a free third party service to allow your application to check if a user-entered password is a known password. For security reason, password must be hashed using SHA-256 hashing algorithm before it can be checked using this API endpoint. See the API documentation for more details.<SHA256_PASSWORD>/


In the following test, we compare the success rate of JtR wordlist cracking mode against a list of 551,638 MD5 hashes using our standard password list passwords.txt vs. UNIQPASS v18. We use JtR 1.8.0 community-enhanced version for this test. The hashes are passwords for accounts from several leaked databases published by LulzSec back in June 2011.

$ john --format=raw-MD5 --wordlist=passwords.txt --rules hashes.txt
$ john --format=raw-MD5 --show hashes.txt
219722 password hashes cracked, 331916 left
passwords.txt cracked 40% of the hashes using JtR wordlist mode with rules enabled.
$ john --format=raw-MD5 --wordlist=uniq.txt --rules hashes.txt
$ john --format=raw-MD5 --show hashes.txt
515618 password hashes cracked, 36020 left
UNIQPASS v18 cracked 93% of the hashes using JtR wordlist mode with rules enabled.

Upon completing a dictionary attack (wordlist mode), the next step is to resume the same session with JtR incremental mode leaving it to run for a couple hours or until we achieve a desirable yield. This can done with e.g. john --format=raw-MD5 --incremental --max-run-time=3600 hashes.txt.

Password Length Distribution

The chart below shows the password length distribution for UNIQPASS v18. Each slice represents the number of entries having the specified length.

Get a copy of UNIQPASS v18

The preview copy of UNIQPASS v18 is available for download at uniqpass_preview.txt (22MB). The complete list of UNIQPASS is available for purchase at only $12.99 USD. We accept Bitcoin where we charge the equivalent BTC amount as per current exchange rate. Alternatively, you may transfer $12.99 USD to our PayPal account at PayPal accepts all credit cards (Visa, MasterCard, American Express, Discover), so a PayPal account is not required. For other payment method, please contact us directly at

Step 1: Select your payment option below.

Step 2: We will deliver UNIQPASS as a private download link to you via email within 24 hours once we have confirmed your payment.

Recommended Tools

Depending on your use cases, we recommend one or more of the following password recovery tools for use with UNIQPASS:

John the Ripper (JtR)
Our current default tool to audit most of the leaked hashes
De facto standard GPU-based password cracker
Useful set of utilities to manipulate wordlist
Fast network logon cracker
Cain & Abel
Password recovery tool for Microsoft Operating Systems
802.11 WEP and WPA-PSK keys cracking program
Los Angeles Times (June 16, 2011) (June 17, 2011)
PCWorld (December 27, 2011)
Forbes (December 28, 2011)
CNN (December 30, 2011)
MSNBC (January 4, 2012)
FOX News (January 5, 2012)
Wired (July 12, 2012)