Due to the recent influx in the selling of hash lists, I decided to make this guide for those who wish to benefit from them, but may not be familiar with how to use them properly. Please note that although I have a decent understanding of how these work, I am by no means an expert and may use the incorrect terminology or have some things inaccurate. Please feel free to correct me as you see fit.
We'll start off first and foremost with the most important question:
What Is a Hash List?
A hash list is, in simple terms, a list of usernames along with their encrypted passwords. These usually come along with an associated email. An mD5 hash is a string of 32 characters and is generated as a means of encrypting (or protecting) your password from people like us who wish to steal it. However, you can easily copy and paste the hash into an online database that will basically reveal to you the password. More info on this below.
A hash usually looks something like this (this particular one was taken from one of Possible's hash lists:
008235: 1. username = USERNAME123|-|-| 2. pass = b3726683365079da268d82dbde955066 () |-|-| 3. email = EMAIL@gmail.com
Where Can I Get Hash Lists?
It seems that they have come into high demand recently here on the forum. These lists currently can be purchased from users such as Demo or Possible. Both have become rather reputable for their hash lists generating quite a bit of wealth.
Chances are, you won't be able to generate your very own hash list. I'm sure there are ways to do it that I am not familiar with so I'll let you figure that out on your own.
Decoding the Hash
Let's take another look at our hash:
008235: 1. username = USERNAME123
|-|-| 2. pass = b3726683365079da268d82dbde955066
() |-|-| 3. email = EMAIL@gmail.com
Start by checking the username in Neopets to see if they exist. Use the following URL and simply copy and paste the username at the end. This will take you to the Userlookup if one exists.
If the account exists and is not frozen, I then move on to the password. Take your hash (in purple) and input it into the following database:
Simply paste your hash into the box, type in the Captcha and hit "decrypt hashes." With any luck, a password will be generated.
In this case the password was: sunn1d4y
Now go back to Neopets, enter the username with this password and see if it works.
If it asks for a birthday, this does not tell you if the password is right or wrong. Look at the URL. If the URL has the phrase "badpassword" in it at all, then the password is wrong. If, instead, it says "hi" in the URL, then you have a good password, you just need a birthday crack.
Using the Emails
So let's say you found an epic account, but the password didn't work. It's frustrating and oh so tantalizing to have the OLD password of a valuable account. Your next course of attack should be the email address. There's a few different things you can do:
1. Check if the email is unregistered. If it is, bingo! You got the account (unless the email was changed).
2. If the email is active, try the password you have for their email account. Just because they changed their Neopets password, they might have still left their email password the same.
3. If the above fails, try the "forgot password" option on their email account. Try answering their secret questions and resetting their password. This has amazingly worked for me SEVERAL times. I have gone as far as stalking people on Facebook in order to find out answers to their secret questions LOL. This is even easier if you have Demo's hash lists, because they often come with a little more info about the person, perhaps giving you more clues.
If all of the above fail, you should probably let it go. It sucks to see an epic account that you were so close to having access to, but if you don't have the password OR the email, you're pretty much SOL at this point. Move on to the next hash.
Why Do I Keep Getting Failed Passwords/Non-existing Neopets Accounts?
If my understanding is correct, hash lists are often harvested from forums, blogs, etc. THEREFORE (pay attention, this is important), these MAY OR MAY NOT be actual Neopets usernames and passwords. By taking the usernames and passwords from Neopets-RELATED sites, we are assuming that these people also have a Neopets account (or why else would they be on a Neo-related site, duh). However, they may or may not use the same username in Neopets as they do on this other site, and even if they do, this does not necessarily mean they will use the same password.
However, this is not to say that hash lists are useless. Quite the contrary. While it is common for you to come across usernames that do not pull up an existing account in Neopets, much of the time you will find an account to match. There have been SEVERAL vouchers claiming to have found hundreds of millions of NPs, super rare UCs, etc from hash lists. Don't let the unsuccessful hashes deter you.
Keep in mind, hash lists are a gamble. You may or may not strike it rich with these, it is all dependent on luck. It also depends quite a bit on how used your hash list was. Usually the seller will advise you if the hash list was previously looked through before. However, I have gotten pretty lucky even with used hash lists.
Please feel free to post questions regarding hash lists or suggestions for improving this guide.
Thanks for reading