search engines

A Security Researcher Just Dumped 10 Million Real Passwords

Next Story

True Facet Raises $1.7 Million For Its Secondhand Jewelry Marketplace

Security researcher Mark Burnett released a torrent of 10 million passwords and usernames, a trove of comparatively anonymized data that he sourced from open websites from around the web. The passwords and usernames are older and most probably dead and, most importantly, Burnett sourced them from websites that were “generally available to anyone and discoverable via search engines in a plaintext (unhashed and unencrypted) format and therefore already widely available to those with an intent to defraud or gained unauthorized access to computer systems.”

Why did he do it? Password behaviors are opaque. No one knows why we choose certain passwords over others nor do they have any way of assessing the relative strength of passwords on the web. While corporations like to say their password databases are secure, how do we know? And how can they be secure when the most popular password is “password?”

Burnett writes:

Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain.

You can download the trove here.

It is interesting to note that Burnett had a great deal of trouble deciding whether he wanted to release these passwords. Because the law is often opaque regarding technical issues and legislators are ignorant when it comes to the same, people like Burnett are actually afraid to publish their research. The jailing of a journalist named Barrett Brown is one step in the long road towards self-censorship in matters of security and that can’t be the case.

So download those passwords and figure out just where you’re going wrong. I, for one, will never give up my super secure password of “ILovePizzaAndBeerLakers2015!”

Featured Image: Dan Bruins