I’ve been doing some other things for the past year or so, but I think I’m ready to pick this back up. I have downloaded and imported all database dumps of which I am aware that have 1M or more compromised accounts in them, most of them from the past year. I think I have more than 100 databases imported. Now, I need to go back and grab just the unique records like I did before. Then, I’ll combine them back into the original database, and generate all the hashes I can for each one of them.
What might be interesting is to make a release of that database. Then, security researchers can use it as a pre-calculated hash table. They can do all sorts of whatever they want with it. And because it only has the actual passwords, and not usernames or email addresses, I believe it would be a perfectly ethical thing to do. So stay tuned, I might start work on that project.