Researcher and Security consultant Mark Burnett has just published 10 million usernames along with their passwords. It’s meant to help other researchers, but in the current climate of hacking and privacy, one has to ask: What the hell?
/Read More// Massive Malware Hack Rocks Yahoo!
Actually, as scary as it sounds, passwords are released all the time – they’re just kept between researchers and the usernames aren’t usually included. Also, these usernames and passwords were from a random sample from a previous dump. Sites like pwnedlist and haveibeenpwned frequently hack and leak such password combinations and male them public. Burnett simply took those and made them public again.
Burnett says that only letting researches have passwords can prevent researchers from analyzing how the usernames and passwords go together.
In Burnett’s own words, he “…wanted to provide a clean set of data to share with the world…[ it provides] great insight into user behavior and is valuable for furthering password security.”
And share with the world he has.
Before you panic too much, Burnett believes most of the passwords and usernames are dead:
“I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal haressment…i had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me.”
He went on to explain, at great length and detail why, unlike Barrett Brown, the FBI shouldn’t show up and arrest him:
[…”Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone. Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature. If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime…
In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access…
Furthermore, I believe these are primarily dead passwords, which cannot be defined as authentication features because dead passwords will not allow you to authenticate. The likelihood of any authentication information included still being valid is low and therefore this data is largely useless for illegal purposes. ..
Ultimately, to the best of my knowledge these passwords are no longer be valid and I have taken extraordinary measures to make this data ineffective in targeting particular users or organizations. This data is extremely valuable for academic and research purposes and for furthering authentication security and this is why I have released it to the public domain…]
With all that in mind, Burnett has taken a random sample of 10 million passwords, gathered from “thousands of dumps consisting of upwards to a billion passwords.” If your password isn’t on the list, that doesn’t mean it’s not floating around on the Internet; merely that it’s no on this list. We’re not linking to the download, but it shouldn’t be too hard for you to work out where to look…[Mike Burnett]