Security researcher publishes 10M usernames / passwords to help understand authentication patterns

Shawn Knight

Posts: 15,253   +192
Staff member

security researcher dumped million real passwords leaked password security passwords hacker hacked password list

Security researcher Mark Burnett is capturing headlines after publishing a list of 10 million usernames and passwords on the Internet.

All things considered, there’s probably not a whole lot to worry about with the dump. That’s because – at one time or another – every username and password in the list was publically available to anyone to find via search engines in plaintext format.

To ensure that no single source or company was targeted, Burnett sourced credentials from numerous sites and combined samples from thousands of global incidents from the last five years which was mixed in with other data dating back an additional 10 years. He also removed identifying keywords and manually reviewed much of the data that could link to an individual.

As such, the researcher believes that the dump primarily consists of dead passwords. If that’s the case, why even bother re-releasing old passwords (along with usernames, which is rare) in the first place?

Burnett said his intent is not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. Instead, he said the intent is to further research with the goal of making authentication more secure and ultimately protect from fraud and unauthorized access.

If you read through his blog post, you can see that he’s gone to great lengths to point out reasons as to why he shouldn’t be arrested. Now it’s just a waiting game to see if authorities make a move.

Permalink to story.

 
IMHO, sloppy science, and if you ask me, the guy should be arrested.

He has no idea whether any of these combos are still active. In my opinion, good science would have him present examples of the patterns he found with made-up data rather than real examples that might still be live. It would be no comfort to me that the guy "personally reviewed" such a large data set as it would be easy to make a mistake.

I do understand that the owners of these combos should have changed them years ago as it is the owner of the combo that chose badly by creating an easily hackable user name / password combo, however, in my opinion, no true, competent, and respectable researcher would take the chance that releasing such data would compromise the integrity of someone else. As I see it, this is the equivalent of releasing the names of the participants in a medical study which simply would not happen under similarly normal circumstances in the medical industry.
 
JakeT, please forward your details to the NSA to prove your manhood.
 
If I ever create a website or service that requires logging in, I'm going to make it so the password creation box recognises passwords like "1111", "password", "administrator" etc and hurls abuse at the person trying to use them.
 
Back