Earlier this month, Mark Burnett released a database of ten million usernames and passwords. He collected this data from already-public dumps from hackers who had stolen the information; hopefully everyone affected has changed their passwords by now.
Anura • February 19, 2015 1:30 PM
I wonder where these come from. I’d love to get a list of plaintext passwords from a major site that people actually take seriously, but that doesn’t have a password policy beyond (maybe) minimum number of characters. Last time I did an analysis on the RockYou database to figure out a good password policy (don’t remember my results off-hand) to provide a good balance between the number of passwords rejected and the ratio of distinct passwords to total passwords that fit the policy. However, my concern is that it’s not a very good test since a lot of people just put in junk passwords because they couldn’t care less if their account gets stolen.
denis gobo • February 19, 2015 1:35 PM
Surprised Michael is not on that list..it is usually always in the top 10
Mark Gordon • February 19, 2015 2:09 PM
Downloading Burnett’s list of passwords is a federal crime. Discuss.
For extra points: Using the Tails operating system is the least a security researcher should rely on to acquire Burnett’s file. Drink.
Mark Burnett • February 19, 2015 2:32 PM
I wonder where these come from.
@anura, this article explains the source of the passwords
SoWhatDidYouExpect • February 19, 2015 3:38 PM
This might explain why I am starting to get repeats of junk email from userids that had their passwords compromised sometime in the past.
keiner • February 20, 2015 3:58 AM
…like nozamA, Epay and others. It’s a pest, buy this, wanna buy your car, nice women at the place you live, lottery… I think about sueing these idiots for personal data breach or so.
SoftChamp • February 20, 2015 4:16 AM
“He collected this data from already-public dumps from hackers who had stolen the information; hopefully everyone affected has changed their passwords by now.”
Thus everybody needs to use quality security software with decent password management features. Nowadays hackers are able to steal data even from big corporations like Facebook. Security software should be top priority for everyone, who cares about his/her personal information.
Alex • February 20, 2015 7:10 AM
New Lenovo/Superfish malware:
https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/td-p/1726839/page/6
Even worse, the Superfish certificate can be used by everyone for MitM attack:
https://twitter.com/supersat/status/568329299494744065
http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
http://www.wired.com/2015/02/lenovo-superfish/
CallMeLateForSupper • February 20, 2015 11:36 AM
Torrent, dag-nabbit! OK, I am a luddite; I don’t use torrent.
Every time I have wanted to d/l such a list, I was thwarted by one or more of:
1) you are not suthorized
2) sign in
3) enable JavaScript
4) enable cookies
5) torrent link only
Anura • February 20, 2015 11:58 AM
@CallMeLateForSupper
I have that same problem. People keep sending me links to stuff, but I don’t have access to the internet.
Jesse Thompson • February 20, 2015 2:49 PM
@Mark Gordon: Since Bruce has published some of the content from Burnett’s list of passwords on this blog post, does that mean we have already committed a federal crime? Dither.
Jesse Thompson • February 20, 2015 2:54 PM
s/Bruce/Hugo, in the comments/
No Such Agency • February 20, 2015 8:37 PM
If I’m reading this correctly: http://www.law.cornell.edu/uscode/text/18/1030
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
…then as the password list is only for research purposes, then no crime has been committed.
Chris Jones • February 21, 2015 12:19 PM
@CallMeLateForSupper Move out of the 1970’s browser and you should be fine.
Somebody • February 23, 2015 10:42 AM
Passwords are a challenge and response system. However poor the password there are even fewer bits in the challenge (“password: ” has exactly zero bits). If the user has enough secure computing power/storage to run a password manager he has more than enough to handle many secure challenge and response schemes.
It’s time to stop saying that the problem is weak passwords and start saying the problem is that passwords are weak.
Nathanael • February 23, 2015 12:15 PM
Passwords aren’t a problem per se. The problem is using them for things which aren’t really supposed to be secure.
Most people can keep a secure password for, for example, their bank. Nobody wants to have a secure password for all the random crap on the Internet which wants “passwords”.
For a lot of stuff, it’s practically public. The attack profile is basically spammers, period. You don’t need a very high level of security to keep out spammers.
Ayms • February 24, 2015 8:45 AM
“hopefully everyone affected has changed their passwords by now”
Not sure at all… working email accounts can be found as well as existing and still alive social network accounts
FYI, Torrent-live detected a completely abnormal number of monitors for the torrent allowing to retrieve the file, it’s not supposed to be illegal to torrent it but take care.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Hugo • February 19, 2015 1:13 PM
The top 20 passwords from that database are:
123456
password
12345678
qwerty
123456789
12345
1234
111111
1234567
dragon
123123
baseball
abc123
football
monkey
letmein
696969
shadow
master
666666