10 Billion Password Leak Not What It Seems

Reports that hackers have got their hands on 10 billion passwords have been slightly overblown. The file includes passwords up to 20 years old and many may never have been used at all.

The "leak" involves an online post of a text file dubbed "RockYou 2024" which is said to contain 9,948,575,739 unique passwords, all stored in plain text.

It appears to be an update from a similar file published in 2021, with "only" 1.5 billion of the passwords added since that time. Cybernews estimates it contains passwords compiled from around 4,000 databases over the past 20 years. (Source: cybernews.com)

Brute Force

Anyone accessing the file with malicious attempt could use it in several ways. It could allow a brute force attack of simply trying passwords over and over again until one works. That's difficult on live websites which normally have measures to stop repeated unsuccessful attempts by locking out the user from attempting to login after a certain threshold.

Another method is to use the list on a stolen database of login details. In this scenario, with no restraints other than time, hackers hope to figure out how an encrypted password matches up to a plain text version. This can help them in turn figure out the encryption itself.

Database May Be Outdated

There's some debate about how useful this database actually is. Any passwords that were being used at the last update in 2021 will presumably either now either have been changed by the user or stand a good chance of already being compromised.

There's also some question about how many of the passwords, particularly the older ones, actually came from leaks of real login details. It's possible some or even many may simply have been created by security researchers to use for training exercises, for example to test how easy it is to crack stolen databases. (Source: lifehacker.com)

The best advice remains to use unique passwords wherever possible. Length makes the most difference while other tips including using numbers and symbols and avoiding words found in a dictionary. In many cases, a trustworthy password manager tool is the safest way to generate and store secure passwords without relying on memory.

What's Your Opinion?

Are you surprised by the size of this database? How do you create and secure passwords? Is the password still the best security measure?