Ten billion plain-text passwords in a file: Sky  falling or situation  normal?

Credential Crunch

What’s the craic? Benedict Collins reports: Is this the biggest password leak ever uncovered? Researchers claim nearly 10 billion credentials under threat

“Credential stuffing”
Researchers claim to have uncovered what appears to be the biggest password cache ever uncovered, with 9,948,575,739 unique plaintext passwords. [It] was posted on July 4 by a user with the handle ‘ObamaCare,’ who has shared leaked passwords from a number of sources. [It] contains passwords stolen in a mix of old and new attacks, making the file a brute force attackers’ dream.
…
Brute forcing is an attacking technique used by hackers to breach accounts by using … passwords until successful entry is gained. By automating the process, an attacker can try potentially millions of passwords with ease. A system unprotected against brute-force attacks could quickly succumb to an attacker using this password database. [It] could also be especially useful for an attacker using … credential stuffing.

Horse’s mouth? Cybernews’s Vilius Petkauskas and friends call it the largest compilation of all time:

“Brute-force attacks”
[We] cross-referenced the passwords [to reveal] that these passwords came from a mix of old and new data breaches. … Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks, [which] can be severely damaging for users and businesses. For example, a recent wave of attacks targeting … Ticketmaster, Advance Auto Parts, QuoteWizard, and others was a direct result of credential stuffing attacks against the victims’ cloud service provider, Snowflake.
…
Three years ago, … the RockYou2021 password compilation [was] the largest at the time, with 8.4 billion plain text passwords. … Attackers developed the dataset by scouring the internet for data leaks, adding another 1.5 billion passwords [by] 2024.
…
Attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. [It] can contribute to a cascade of data breaches, financial frauds, and identity thefts.

What should we do about it? Here’s Mitch Ashley, chief technology advisor for Futurum and Techstrong CTO, via Michael Vizard: Stolen Passwords

“Cultural challenge”
The time has come to declare standalone passwords stone-cold dead. [They] don’t seem to provide any meaningful level of security.
…
Passwords are only viable if they are system-generated, unique to one account, secured in a password manager and used in combination with multi-factor authentication (MFA), preferably with an authentication app. … However, more organizations are already moving beyond passwords to embrace passkeys that employ some type of biometric authentication.
…
Nothing is ever perfect, however, because cybercriminals can still, for example, abuse cookies to bypass passkeys authentication mechanisms. However, passkeys at least reduces reliance on standalone passwords. … The challenge is that passkeys require time and resources to implement. … Moving away from passwords is as much a cultural challenge as it is technical.

Sounds like a “can’t get there from here” problem. u/jetstobrazil sounds slightly sarcastic:

So tired of this. … I have to check all of my ****ing accounts again and change my passwords again? Oh, good idea, that will surely make them secure until they’re sold off in 2 more months … and I’m awaiting notification from the company keeping it under wraps? Awesome!

However, iAmWaySmarterThanYou is way smarter than you:

I have uniquely long passwords and often MFA for financial and other accounts I care about. … There are probably a ton of dumb****s in that list with their bank credentials, but if they’re still doing that **** by now they deserve whatever happens.

Obviously, it’s not all new. nilsherzig has been poring over the dump:

Looks like there are some new (to me) combos in there, but to me it looks like a collection of all the breaches they could get. Might still be valuable to someone who tries to brute force something or to develop mutation scripts based on the more recent passwords.

Come again? AmiMoJo isn’t that bothered:

A lot of it will be redundant. Cracking tools already include features to generate variations and combinations of dictionary words. [And] the completely random ones are of little value.
…
So that just leaves the new, previously unleaked, and fairly random but re-used by the user ones. Maybe some song lyrics or something. But again, they only apply to a small number of users at best, and now they are out there those users are probably getting sent notifications to change those passwords by major web browsers. So overall, it’s not that helpful.

Wait. Pause. WWTHD? Troy Hunt would walk away and find something more interesting to do:

Let’s start with what should be obvious: Any infosec story that includes a headline about “largest,” “greatest,” “worst,” or similar superlatives should be regarded with suspicion right from the outset. That said, let’s delve into this one.
…
The title “RockYou” … harks back a decade and a half to a 2009 data breach that exposed 34M records. … Following this breach, the “RockYou password list” became almost the defacto standard list for password crackers. It’s one of many breaches that seeded the data in @haveibeenpwned’s Pwned Passwords list. [But] these are not breached passwords—they’re merely strings of text collated from all sorts of different sources.

If I want to protect my users from bad passwords, should I download it? u/bigger_hero_6 has a better idea:

Recommend wordlists out of this repo, which are also actively maintained: github.com/danielmiessler/…/Common-Credentials. … Rockyou is in there as well.

Meanwhile, in case you want to look at it anyway—for (ahem) research purposes—bobthesungeek76036’s got your back:  [You’re fired—Ed.]

Here it is. Keep in mind that this file is 46G and 145G uncompressed.

And Finally:

Willgoose and company are back, baby

Previously in And Finally

You have been reading SB  Blogwatch by Richi  Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Bohmann