Security researcher publishes 10M usernames / passwords to help understand authentication patterns

Security researcher Mark Burnett is capturing headlines after publishing a list of 10 million usernames and passwords on the Internet.

All things considered, there's probably not a whole lot to worry about with the dump. That's because - at one time or another - every username and password in the list was publically available to anyone to find via search engines in plaintext format.

To ensure that no single source or company was targeted, Burnett sourced credentials from numerous sites and combined samples from thousands of global incidents from the last five years which was mixed in with other data dating back an additional 10 years. He also removed identifying keywords and manually reviewed much of the data that could link to an individual.

As such, the researcher believes that the dump primarily consists of dead passwords. If that's the case, why even bother re-releasing old passwords (along with usernames, which is rare) in the first place?

Burnett said his intent is not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. Instead, he said the intent is to further research with the goal of making authentication more secure and ultimately protect from fraud and unauthorized access.

If you read through his blog post, you can see that he's gone to great lengths to point out reasons as to why he shouldn't be arrested. Now it's just a waiting game to see if authorities make a move.