Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

10 Billion Passwords Leaked in the Largest Compilation of All Time (cybernews.com) 52

An anonymous reader shares a report: Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare. While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews' Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches. "In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said.

This discussion has been archived. No new comments can be posted.

10 Billion Passwords Leaked in the Largest Compilation of All Time

Comments Filter:
  • by PPH ( 736903 ) on Monday July 08, 2024 @10:29AM (#64609579)

    password
    password1
    password2
    .
    .
    password9999999999
    password10000000000
    • But that FP wasn't.

      Solutions, anyway? Oh wait. I forgot this was Slashdot, land of virtual grousing. Pointless. Unlike grousing IRL where you can at least eat the grouse. (If you don't find it gross.)

      My favorite solution approach? Hasn't changed much over the years. Go after the money. Even better if you can make 'em pay. I tend to focus on the email spam as the root of the ancient tree of evil, but the basic philosophy should be the same. For email the anti-spammer system should iterate between analysis, c

    • You're making it way too difficult.

      Here's all passwords ever used everywhere:

      ^.*$

      Beat that!

  • ...than the names of God!

  • Thus, most of these are probably old accounts and/or records of old passwords.

    • Welcome to the future, time traveller. There are more than 8 billion people on Earth by now, and 2 billion ETs.

    • by stern ( 37545 )

      From the article, "Most likely, the latest RockYou iteration contains information collected from over 4,000 databases over more than two decades."

      • From the article, "Most likely, the latest RockYou iteration contains information collected from over 4,000 databases over more than two decades."

        Perfect for training AI to do something!? Right?

    • by Comboman ( 895500 ) on Monday July 08, 2024 @10:45AM (#64609647)

      It's generally considered good practice to have a different password for every service you use so it wouldn't be unreasonable for 1 billion users to have over 10 billion active passwords.

      • It's generally the case that no one (or hardly anyone) does that. Most of the accounts I use which require a password login (like /.) are accounts I don't care about getting hacked, indeed I can't imagine why anyone would hack those accounts. So for those accounts, I use the same password across multiple logins.

        I do however have distinct passwords for what I consider important accounts, like financial. So yes, I do have > 10 passwords in all. I don't know how common that is, though.

        • It's generally the case that no one (or hardly anyone) does that.

          I don't believe your information is current. I wouldn't be surprised if the majority of folks still do not; but Mac makes it quite painless and has done so for almost two decades. I see non-technical people using their Keychain quite frequently. Heck, even my wife uses unique passwords everywhere, and she tends to roll her eyes when I try to talk to her about security.

          Windows was later to the game, but even it includes a built-in password wallet now.

          Most of the accounts I use which require a password login (like /.) are accounts I don't care about getting hacked, indeed I can't imagine why anyone would hack those accounts. So for those accounts, I use the same password across multiple logins.

          I do however have distinct passwords for what I consider important accounts, like financial. So yes, I do have > 10 passwords in all. I don't know how common that is, though.

          If you're already using unique passwords for "important ac

    • Re: (Score:3, Insightful)

      by Anonymous Coward
      If you only have one password per user then you are doing it wrong. I personally have over 100 in my password safe....
    • Setting aside that you're off by a few billion people on the planet, I think you have it exactly backwards, given that these are unique passwords.

      Any given user will typically have somewhere between a few dozen and a few hundred accounts. I just checked, and I have around 600 accounts, but because I'm using a password manager, each account has a unique password. An everyday user who has just as many accounts may only reuse the same handful of passwords, many of which are likely to intersect with passwords t

  • by account_deleted ( 4530225 ) on Monday July 08, 2024 @10:45AM (#64609649)
    Comment removed based on user account deletion
    • FIDO auth with hw tokens, or Passkey (which is basically on-device FIDO auth).
      2FA is a major PITA.

      FIDO has its downsides: the service you try authenticating to can restrict which devices you can use, single point of failure, recovery is hard-ish, login at public terminals is impossible.

    • BitWarden, KeePass, some type of password manager has become a necessary tool for being on the internet today. I remember back in the DotCom-Boom days companies trying to sort out a universal internet SSO. For better or worse that never really happened so password managers are the compromise it feels like.

  • Can I search it like "have i been pwned"?

    • by Jeremi ( 14640 )

      Can I search it like "have i been pwned"?

      Sure -- as soon as you enter your password into the search box, it adds it to the end of the list.

  • Where can we find this list? is it actually compiled or just a big mess of data files some of which are hashed and not yet cracked?
    very little in the breach many years back... was interesting and had additional information. It would be much more useful with personal info so one could compare that and "hints" to the passwords to look for behaviors. The Adobe breach had hints which often were related to the password... most not in ways you could automate an attack but I bet an AI could do more with that info

    • Here it is [s3.timeweb.cloud]

      keep in mind that this file is 46G and 145G uncompressed...

      • by AmiMoJo ( 196126 )

        Thanks. I wonder how much smaller it can get by switching from ZIP to 7z compression.

        Is it sorted alphabetically? That will help with compressing such a large file. Presumably it was sorted, as part of the de-duplication process.

      • Thank you! better question would be how to do find things like this?

        I'm out of touch, just doing some minor research. i did a little fooling with such things in the past looking for any trends and maybe a research paper idea. This must be sorted and stripped of duplicates and stripped of hashed passwords. I had tons of hashed stuff last time.

      • sadly this looks like a lot of unix hashed and garbage. not that i can read it all... not too useful to have to crack this amount of data...

  • Those lists are most useful when you already have something like the hash and can crack the password off-line. For example WiFi WPA handshakes can be captured then cracked off-line with such password list. 10 billions (say average 5 billion if password is in list) tries isn't really efficient to brute force an online account or something else interactively.

    I have the old rockyou file and it's amazingly efficient since many people chose the same password without even knowing each other or being hinted.

    I gues

  • Would a big enough database of these poison the database used by hackers? There's got to be a point - admittedly above 10 billion, but still - where a large enough database of passwords to try becomes barely better than brute force.

    • I've wondered s.t. similar about large primes, the size that are used in pairs to encrypt data. How many of them are there in the relevant ranges, and would it be feasible to compile a database of them? Although the purpose would be the opposite of what you suggest: it would be for brute force decryption.

    • Highly unlikely.

      Hackers already routinely download multiple lists and combine them... if they see a list that's many times larger than the other lists in the wild(especially if it's larger than all others combined) they'll probably just ignore it... and as soon as somebody is foolish enough to download it they'll report to others ASAP if it's a useless pile of garbage.

      • by AmiMoJo ( 196126 )

        A lot of it will be redundant. Cracking tools already include features to generate variations and combinations of dictionary words, so you only need to throw the dictionary of the target site's language and a list of common names to get all those.

        The completely random ones are of little value because they only match one use on one site where their computer randomly generated that sequence for them.

        So that just leaves the new, previously unleaked, and fairly random but re-used by the user ones. Maybe some so

    • One could preprocess their user table vs. this leak once a day and any IP that tries ten non-user accounts from this list (cache today's signups) gets a 24-hr vacation.

      Perhaps more implementable than actual poison.

      I didn't see a link though.

      This would be easy to code up. A trie should be fast enough. Maybe store a fast hash for better optics or distribution.

      hrm, I never made a hash trie - somebody must have one available.

  • This morning I ran into an issue with Teams where someone got kicked out of our org. The solution was to reset the password from Microsoft Entra, and then for some reason they could get back online. I really don't know why that works, but it does. Anyway, I give the person the new password, and they were extremely annoyed because (paraphrased): “Now I have to change / update my password everywhere.”

    The 10 minutes, it might take to update everything over the course of a couple of days, is no
    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Monday July 08, 2024 @02:10PM (#64610495)
      Comment removed based on user account deletion
      • I actually agree that it should not be advice we give out, but, the number of people, technically qualified people, who will use passwords like "SecureP@ssw0d", is rage inducing. The NIST advice works, if you use good password hygiene, but even when you drill into people: "Use a password manager!", they'll turn around, not do it, then wonder why the account got hacked.

        The problem is even worse because people honestly think the browser has a password manager built in. I've had that argument numerous tim
        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Monday July 08, 2024 @03:42PM (#64610799)
          Comment removed based on user account deletion
          • There is a point where security measures, even commonly accepted ones like MFA, become more hassle than they're worth.

            Here here. I'm glad these features exist, but I can't stand it when they are forced upon me. I really can't stand MFA, especially when a smart phone is the only accepted method, since I don't own a smart phone and don't want one.

            As with mandatory password rotation, it'll be interesting to see how many mandatory security practices today will be banished in another 10-20 years.

    • If something requires a specific app for MFA, I'm out. If MFA requires two devices connected to the net, that's out too.
      MFA is such a hassle since TOTP stopped being enough. Open password manager, copy TOTP code (hell at one point it even filled it out) . Now I have to hunt for the service's app, wait for notification, hope I only get one request token, tap button, pray connection works.

      What does changing passwords every 90 days bring you? Nothing, except password12 after 3 years.

      • Changing your password isn't for people who follow good password hygiene policy, it's for people who don't. The reason we have to force them, is because they used "P@ssw0rd12", and it's on 10 accounts. It's an issue when these password lists get dumped, and that's why it's recommended. If you generated good unique passwords in the first place, such as: "[qgugetTD(=#)hS7a@ZBTbgAs6SZztxh)bW3eTkHZ;4pDPRMbP]CTZhT!sckt94", then why would any one care? The only password you should know is a 32–64 charac
        • The really funny thing is that the one place no password manager works is when I try accessing corporate stuff. That means my password with the greatest societal risk (notwithstanding what I think about my employer) is in effect the weakest, because I just have to type it many times per day...

          All in all, we're in agreement. Feels nice for a change.

          • That's terrifyingly true. In my experience the corporate environments that try to lay into "security / privacy" the most, such as medical, banking, government and military, outright restrict password managers.
  • ...I switched to unique long complex random passwords with 2FA where available on all of my accounts.

    Most of my passwords are 16 characters... that's up to 30,583,281,110,353,123,000,000,000,000,000 possible passwords depending on if a site allows all special characters or not.

    I'll probably have to upgrade again in a few years when the RTX 8090 comes out. ;-)

  • Just a file of passwords, or are usernames included?

A computer scientist is someone who fixes things that aren't broken.

Working...