Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Researcher Publishes 10 Million Usernames and Passwords

In an effort to contribute to making authentication more secure, a researcher has decided to publish 10 million username/password combinations that he has collected over the years from the Web.

In an effort to contribute to making authentication more secure, a researcher has decided to publish 10 million username/password combinations that he has collected over the years from the Web.

The number of leaked passwords has increased significantly over the past few years. Specialized websites that allow users to check if their credentials have been compromised in major data breaches have already collected hundreds of millions of records. For example, Have I Been Pawned? has 175 million accounts and PwnedList has close to 390 million.

Leaked passwords have been used by many companies to determine the most common passwords and other trends. However, in many cases, only passwords are made available.

Security consultant, author, and researcher Mark Burnett has been collecting publicly available passwords for the past 15 years and now he has decided to make available 10 million of them, along with their associated usernames, to provide insight into user password selection. The expert believes the analysis of both usernames and passwords has been neglected, which is why he has published a “clean set of data” that others can study.

Burnett has highlighted the fact that the username and password combinations are unlikely to be abused. The researcher has removed the domain part from email addresses, keywords that could provide clues to the source of the credentials, information that could be particularly linked to an individual, financial information, and accounts clearly belonging to government and military employees. Furthermore, the data comes from thousands of incidents that took place over the past 15 years so the accounts cannot be tied to the companies they were stolen from.

The researcher has also pointed out that a majority of the passwords are likely invalid because most of the affected companies have already notified their customers and urged them to change their passwords following a breach.

Burnett said he was concerned about releasing the data, especially after the recent conviction of Barrett Brown, a journalist who was sentenced to five years in prison, partly for publishing a link to sensitive information stolen by hackers from the think tank Stratfor in 2011. Prosecutors charged Brown with trafficking in stolen authentication features.

Due to these recent events, Burnett published a lengthy blog post, which primarily focuses on justifying the release of the data.

Advertisement. Scroll to continue reading.

“In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access,” the researcher wrote.

Burnett has noted that he shouldn’t be in any kind of trouble for publishing the data as current legislation only targets those who release passwords “knowingly and with intent to defraud.” However, changes proposed by the White House to the controversial Computer Fraud and Abuse Act (CFAA), which was used to prosecute Andrew “Weev” Auernheimer and Aaron Swartz, could make this illegal.

In the new CFAA, “with intent to defraud” might be replaced with “willfully” and the law will read: “knowingly and with intent to defraud willfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking.”

“I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment. I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me,” Burnett said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...