Hugo February 19, 2015 1:13 PM

The top 20 passwords from that database are:


Anura February 19, 2015 1:30 PM

I wonder where these come from. I’d love to get a list of plaintext passwords from a major site that people actually take seriously, but that doesn’t have a password policy beyond (maybe) minimum number of characters. Last time I did an analysis on the RockYou database to figure out a good password policy (don’t remember my results off-hand) to provide a good balance between the number of passwords rejected and the ratio of distinct passwords to total passwords that fit the policy. However, my concern is that it’s not a very good test since a lot of people just put in junk passwords because they couldn’t care less if their account gets stolen.

Mark Gordon February 19, 2015 2:09 PM

Downloading Burnett’s list of passwords is a federal crime. Discuss.

For extra points: Using the Tails operating system is the least a security researcher should rely on to acquire Burnett’s file. Drink.

SoWhatDidYouExpect February 19, 2015 3:38 PM

This might explain why I am starting to get repeats of junk email from userids that had their passwords compromised sometime in the past.

keiner February 20, 2015 3:58 AM

…like nozamA, Epay and others. It’s a pest, buy this, wanna buy your car, nice women at the place you live, lottery… I think about sueing these idiots for personal data breach or so.

SoftChamp February 20, 2015 4:16 AM

“He collected this data from already-public dumps from hackers who had stolen the information; hopefully everyone affected has changed their passwords by now.”

Thus everybody needs to use quality security software with decent password management features. Nowadays hackers are able to steal data even from big corporations like Facebook. Security software should be top priority for everyone, who cares about his/her personal information.

CallMeLateForSupper February 20, 2015 11:36 AM

Torrent, dag-nabbit! OK, I am a luddite; I don’t use torrent.

Every time I have wanted to d/l such a list, I was thwarted by one or more of:
1) you are not suthorized
2) sign in
3) enable JavaScript
4) enable cookies
5) torrent link only

Anura February 20, 2015 11:58 AM


I have that same problem. People keep sending me links to stuff, but I don’t have access to the internet.

Jesse Thompson February 20, 2015 2:49 PM

@Mark Gordon: Since Bruce has published some of the content from Burnett’s list of passwords on this blog post, does that mean we have already committed a federal crime? Dither.

No Such Agency February 20, 2015 8:37 PM

If I’m reading this correctly:

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;

…then as the password list is only for research purposes, then no crime has been committed.

Somebody February 23, 2015 10:42 AM

Passwords are a challenge and response system. However poor the password there are even fewer bits in the challenge (“password: ” has exactly zero bits). If the user has enough secure computing power/storage to run a password manager he has more than enough to handle many secure challenge and response schemes.

It’s time to stop saying that the problem is weak passwords and start saying the problem is that passwords are weak.

Nathanael February 23, 2015 12:15 PM

Passwords aren’t a problem per se. The problem is using them for things which aren’t really supposed to be secure.

Most people can keep a secure password for, for example, their bank. Nobody wants to have a secure password for all the random crap on the Internet which wants “passwords”.

For a lot of stuff, it’s practically public. The attack profile is basically spammers, period. You don’t need a very high level of security to keep out spammers.

Ayms February 24, 2015 8:45 AM

“hopefully everyone affected has changed their passwords by now”

Not sure at all… working email accounts can be found as well as existing and still alive social network accounts

FYI, Torrent-live detected a completely abnormal number of monitors for the torrent allowing to retrieve the file, it’s not supposed to be illegal to torrent it but take care.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.