10 Billion Passwords Leaked in the Largest Compilation of All Time (cybernews.com) 52
An anonymous reader shares a report: Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare. While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.
The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews' Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches. "In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said.
The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews' Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches. "In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said.
The comprehensive list (Score:3)
password
password1
password2
.
.
password9999999999
password10000000000
Re:The comprehensive list [could be funny] (Score:1)
But that FP wasn't.
Solutions, anyway? Oh wait. I forgot this was Slashdot, land of virtual grousing. Pointless. Unlike grousing IRL where you can at least eat the grouse. (If you don't find it gross.)
My favorite solution approach? Hasn't changed much over the years. Go after the money. Even better if you can make 'em pay. I tend to focus on the email spam as the root of the ancient tree of evil, but the basic philosophy should be the same. For email the anti-spammer system should iterate between analysis, c
Re: (Score:2)
I first posted inside your mom.
I guess that dank dark basement is really starting to get to you by now.
I'll ask your Mom to toss down more chum once she and I are finished with her favorite "yoga exercise".
Re: (Score:2)
You're making it way too difficult.
Here's all passwords ever used everywhere:
^.*$
Beat that!
Wow, that's one billion more... (Score:2)
...than the names of God!
Re: (Score:1)
I invent new ones when I stub my toe.
Re: (Score:2)
But then you have to print them all out...
And Then the stars will disappear
There are only 6B people on Earth (Score:1)
Thus, most of these are probably old accounts and/or records of old passwords.
Re: There are only 6B people on Earth (Score:2)
Welcome to the future, time traveller. There are more than 8 billion people on Earth by now, and 2 billion ETs.
Re: (Score:1)
You horny bastards, you broke it!
-Charlton Heston
Re: (Score:2)
8,120,595,679 and counting...
Re: (Score:2)
From the article, "Most likely, the latest RockYou iteration contains information collected from over 4,000 databases over more than two decades."
Re: (Score:2)
From the article, "Most likely, the latest RockYou iteration contains information collected from over 4,000 databases over more than two decades."
Perfect for training AI to do something!? Right?
Re:There are only 6B people on Earth (Score:5, Informative)
It's generally considered good practice to have a different password for every service you use so it wouldn't be unreasonable for 1 billion users to have over 10 billion active passwords.
Re: (Score:2)
It's generally the case that no one (or hardly anyone) does that. Most of the accounts I use which require a password login (like /.) are accounts I don't care about getting hacked, indeed I can't imagine why anyone would hack those accounts. So for those accounts, I use the same password across multiple logins.
I do however have distinct passwords for what I consider important accounts, like financial. So yes, I do have > 10 passwords in all. I don't know how common that is, though.
Re: (Score:2)
It's generally the case that no one (or hardly anyone) does that.
I don't believe your information is current. I wouldn't be surprised if the majority of folks still do not; but Mac makes it quite painless and has done so for almost two decades. I see non-technical people using their Keychain quite frequently. Heck, even my wife uses unique passwords everywhere, and she tends to roll her eyes when I try to talk to her about security.
Windows was later to the game, but even it includes a built-in password wallet now.
Most of the accounts I use which require a password login (like /.) are accounts I don't care about getting hacked, indeed I can't imagine why anyone would hack those accounts. So for those accounts, I use the same password across multiple logins.
I do however have distinct passwords for what I consider important accounts, like financial. So yes, I do have > 10 passwords in all. I don't know how common that is, though.
If you're already using unique passwords for "important ac
Re: (Score:3, Insightful)
Re: (Score:3)
Setting aside that you're off by a few billion people on the planet, I think you have it exactly backwards, given that these are unique passwords.
Any given user will typically have somewhere between a few dozen and a few hundred accounts. I just checked, and I have around 600 accounts, but because I'm using a password manager, each account has a unique password. An everyday user who has just as many accounts may only reuse the same handful of passwords, many of which are likely to intersect with passwords t
Comment removed (Score:3)
Re: (Score:3)
FIDO auth with hw tokens, or Passkey (which is basically on-device FIDO auth).
2FA is a major PITA.
FIDO has its downsides: the service you try authenticating to can restrict which devices you can use, single point of failure, recovery is hard-ish, login at public terminals is impossible.
Re: (Score:3)
BitWarden, KeePass, some type of password manager has become a necessary tool for being on the internet today. I remember back in the DotCom-Boom days companies trying to sort out a universal internet SSO. For better or worse that never really happened so password managers are the compromise it feels like.
Has somebody indexed it? (Score:2)
Can I search it like "have i been pwned"?
Re: (Score:2)
Can I search it like "have i been pwned"?
Sure -- as soon as you enter your password into the search box, it adds it to the end of the list.
Where? (Score:2)
Where can we find this list? is it actually compiled or just a big mess of data files some of which are hashed and not yet cracked?
very little in the breach many years back... was interesting and had additional information. It would be much more useful with personal info so one could compare that and "hints" to the passwords to look for behaviors. The Adobe breach had hints which often were related to the password... most not in ways you could automate an attack but I bet an AI could do more with that info
Re: (Score:3)
keep in mind that this file is 46G and 145G uncompressed...
Re: (Score:2)
Thanks. I wonder how much smaller it can get by switching from ZIP to 7z compression.
Is it sorted alphabetically? That will help with compressing such a large file. Presumably it was sorted, as part of the de-duplication process.
Re: (Score:2)
The first 8Mb was not empty, starts right off with some non-ASCII characters, probably because passwords aren't limited to ASCII. Looks to be on password per line, but pretty useless for any type of research. It's just a list of (possible) passwords, we don't know if the people supplying it just seeded it with a bunch of random garbage, and there's no username or system to tie it to, so you can't look for common patterns where people use the system's name or parts of their username. I can't tell if dupes
Re: (Score:2)
Thank you! better question would be how to do find things like this?
I'm out of touch, just doing some minor research. i did a little fooling with such things in the past looking for any trends and maybe a research paper idea. This must be sorted and stripped of duplicates and stripped of hashed passwords. I had tons of hashed stuff last time.
Re: (Score:2)
sadly this looks like a lot of unix hashed and garbage. not that i can read it all... not too useful to have to crack this amount of data...
Those lists are most useful when... (Score:2)
Those lists are most useful when you already have something like the hash and can crack the password off-line. For example WiFi WPA handshakes can be captured then cracked off-line with such password list. 10 billions (say average 5 billion if password is in list) tries isn't really efficient to brute force an online account or something else interactively.
I have the old rockyou file and it's amazingly efficient since many people chose the same password without even knowing each other or being hinted.
I gues
Would a big enough database of these... (Score:2)
Would a big enough database of these poison the database used by hackers? There's got to be a point - admittedly above 10 billion, but still - where a large enough database of passwords to try becomes barely better than brute force.
Re: (Score:2)
I've wondered s.t. similar about large primes, the size that are used in pairs to encrypt data. How many of them are there in the relevant ranges, and would it be feasible to compile a database of them? Although the purpose would be the opposite of what you suggest: it would be for brute force decryption.
Re: (Score:3)
Highly unlikely.
Hackers already routinely download multiple lists and combine them... if they see a list that's many times larger than the other lists in the wild(especially if it's larger than all others combined) they'll probably just ignore it... and as soon as somebody is foolish enough to download it they'll report to others ASAP if it's a useless pile of garbage.
Re: (Score:2)
A lot of it will be redundant. Cracking tools already include features to generate variations and combinations of dictionary words, so you only need to throw the dictionary of the target site's language and a list of common names to get all those.
The completely random ones are of little value because they only match one use on one site where their computer randomly generated that sequence for them.
So that just leaves the new, previously unleaked, and fairly random but re-used by the user ones. Maybe some so
Re: (Score:2)
One could preprocess their user table vs. this leak once a day and any IP that tries ten non-user accounts from this list (cache today's signups) gets a 24-hr vacation.
Perhaps more implementable than actual poison.
I didn't see a link though.
This would be easy to code up. A trie should be fast enough. Maybe store a fast hash for better optics or distribution.
hrm, I never made a hash trie - somebody must have one available.
Change your password! - Seriously (Score:2)
The 10 minutes, it might take to update everything over the course of a couple of days, is no
Comment removed (Score:4, Informative)
Re: (Score:2)
The problem is even worse because people honestly think the browser has a password manager built in. I've had that argument numerous tim
Comment removed (Score:5, Insightful)
Re: (Score:2)
There is a point where security measures, even commonly accepted ones like MFA, become more hassle than they're worth.
Here here. I'm glad these features exist, but I can't stand it when they are forced upon me. I really can't stand MFA, especially when a smart phone is the only accepted method, since I don't own a smart phone and don't want one.
As with mandatory password rotation, it'll be interesting to see how many mandatory security practices today will be banished in another 10-20 years.
Re: (Score:2)
If something requires a specific app for MFA, I'm out. If MFA requires two devices connected to the net, that's out too.
MFA is such a hassle since TOTP stopped being enough. Open password manager, copy TOTP code (hell at one point it even filled it out) . Now I have to hunt for the service's app, wait for notification, hope I only get one request token, tap button, pray connection works.
What does changing passwords every 90 days bring you? Nothing, except password12 after 3 years.
Re: (Score:2)
Re: (Score:2)
The really funny thing is that the one place no password manager works is when I try accessing corporate stuff. That means my password with the greatest societal risk (notwithstanding what I think about my employer) is in effect the weakest, because I just have to type it many times per day...
All in all, we're in agreement. Feels nice for a change.
Re: (Score:2)
This is why... (Score:2)
...I switched to unique long complex random passwords with 2FA where available on all of my accounts.
Most of my passwords are 16 characters... that's up to 30,583,281,110,353,123,000,000,000,000,000 possible passwords depending on if a site allows all special characters or not.
I'll probably have to upgrade again in a few years when the RTX 8090 comes out. ;-)
Just passwords? (Score:1)