Database of Ten Million Passwords

Earlier this month, Mark Burnett released a database of ten million usernames and passwords. He collected this data from already-public dumps from hackers who had stolen the information; hopefully everyone affected has changed their passwords by now.

News articles.

Posted on February 19, 2015 at 1:02 PM • 18 Comments

Comments

HugoFebruary 19, 2015 1:13 PM

The top 20 passwords from that database are:

123456
password
12345678
qwerty
123456789
12345
1234
111111
1234567
dragon
123123
baseball
abc123
football
monkey
letmein
696969
shadow
master
666666

AnuraFebruary 19, 2015 1:30 PM

I wonder where these come from. I'd love to get a list of plaintext passwords from a major site that people actually take seriously, but that doesn't have a password policy beyond (maybe) minimum number of characters. Last time I did an analysis on the RockYou database to figure out a good password policy (don't remember my results off-hand) to provide a good balance between the number of passwords rejected and the ratio of distinct passwords to total passwords that fit the policy. However, my concern is that it's not a very good test since a lot of people just put in junk passwords because they couldn't care less if their account gets stolen.

Mark GordonFebruary 19, 2015 2:09 PM

Downloading Burnett's list of passwords is a federal crime. Discuss.

For extra points: Using the Tails operating system is the least a security researcher should rely on to acquire Burnett's file. Drink.

SoWhatDidYouExpectFebruary 19, 2015 3:38 PM

This might explain why I am starting to get repeats of junk email from userids that had their passwords compromised sometime in the past.

keinerFebruary 20, 2015 3:58 AM

...like nozamA, Epay and others. It's a pest, buy this, wanna buy your car, nice women at the place you live, lottery... I think about sueing these idiots for personal data breach or so.

SoftChampFebruary 20, 2015 4:16 AM

"He collected this data from already-public dumps from hackers who had stolen the information; hopefully everyone affected has changed their passwords by now."

Thus everybody needs to use quality security software with decent password management features. Nowadays hackers are able to steal data even from big corporations like Facebook. Security software should be top priority for everyone, who cares about his/her personal information.

CallMeLateForSupperFebruary 20, 2015 11:36 AM

Torrent, dag-nabbit! OK, I am a luddite; I don't use torrent.

Every time I have wanted to d/l such a list, I was thwarted by one or more of:
1) you are not suthorized
2) sign in
3) enable JavaScript
4) enable cookies
5) torrent link only

AnuraFebruary 20, 2015 11:58 AM

@CallMeLateForSupper

I have that same problem. People keep sending me links to stuff, but I don't have access to the internet.

Jesse ThompsonFebruary 20, 2015 2:49 PM

@Mark Gordon: Since Bruce has published some of the content from Burnett's list of passwords on this blog post, does that mean we have already committed a federal crime? Dither.

No Such AgencyFebruary 20, 2015 8:37 PM

If I'm reading this correctly: http://www.law.cornell.edu/uscode/text/18/1030

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if— (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States;

...then as the password list is only for research purposes, then no crime has been committed.

SomebodyFebruary 23, 2015 10:42 AM

Passwords are a challenge and response system. However poor the password there are even fewer bits in the challenge ("password: " has exactly zero bits). If the user has enough secure computing power/storage to run a password manager he has more than enough to handle many secure challenge and response schemes.

It's time to stop saying that the problem is weak passwords and start saying the problem is that passwords are weak.

NathanaelFebruary 23, 2015 12:15 PM

Passwords aren't a problem per se. The problem is using them for things which aren't really supposed to be secure.

Most people can keep a secure password for, for example, their *bank*. Nobody wants to have a secure password for all the random crap on the Internet which wants "passwords".

For a lot of stuff, it's practically public. The attack profile is basically spammers, period. You don't need a very high level of security to keep out spammers.

AymsFebruary 24, 2015 8:45 AM

"hopefully everyone affected has changed their passwords by now"

Not sure at all... working email accounts can be found as well as existing and still alive social network accounts

FYI, Torrent-live detected a completely abnormal number of monitors for the torrent allowing to retrieve the file, it's not supposed to be illegal to torrent it but take care.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.