News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • largest password compilation of all time leaked online with 8.4 billion entries

    Home Forums Code Red – Security/Privacy advisories largest password compilation of all time leaked online with 8.4 billion entries

    Viewing 10 reply threads
    • Author
      Posts
      • #2370138
        Alex5723
        AskWoody Plus

        https://cybernews.com/security/rockyou2021-alltime-largest-password-compilation-leaked/

        What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.

        According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower – at 8,459,060,239 unique entries…

        Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak.

        To check whether your password is part of this gigantic leak, head over to the CyberNews personal data leak checker or our leaked password checker, where we are currently uploading the password entries from the RockYou2021 compilation…

        • This topic was modified 1 week, 4 days ago by Alex5723.
      • #2370171
        b
        AskWoody MVP

        Why would I want to send all my passwords to Lithuania to find out if they’re included in a massive file of everyone’s passwords, where they are so far totally unconnected to me or any username?

        Windows 10 Pro version 21H1 build 19043.1081 + Microsoft 365 (group ASAP)

        6 users thanked author for this post.
        • #2370187
          Moonbear
          AskWoody Lounger

          Specifically is a case like this, couldn’t it almost make the situation worse if you looked to see if your data was involved since this list is passwords only?

          You’d be showing that those searched usernames or emails are linked to specific passwords.

      • #2370191
        bbearren
        AskWoody MVP

        Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over

        That logic is a bit flawed.  I am one online user, but I have multiple passwords for multiple sites.  Common advice is to never use the same password for different sites, so it would seem logical that there are, indeed, more passwords than there are online users.

        Another point, my passwords may very well not be entirely unique in themselves.  Someone else (or perhaps more than one) may be using the same letter/number/special character combination for a password for their own user ID.  That, in itself, doesn’t compromise my password in the least.  The user ID/password combination is what counts as a true compromise.

        I really don’t care if someone else is using the same password.  Without my user ID, it’s just gibberish.  In addition, all my financial accounts are also protected by registering my PC.  If someone were to attempt to login to one of my financial accounts from a different PC, they would be thrown into two-factor authentication automatically.

        To sum up, this is really not a concern to me.  The sky is not falling.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

        1 user thanked author for this post.
        • #2370318
          WSstarvinmarvin
          AskWoody Lounger

          Wait, so you’re saying Chicken Little was WRONG ?

          1 user thanked author for this post.
        • #2370325
          OscarCP
          AskWoody Plus

          bbearren: “The user ID/password combination is what counts as a true compromise.

          Many sites where one has to register, particularly during the current pandemic, to do online a number of different necessary things many usually done in person someplace outside one’s home, require one’s email address as the User ID. So if a password shows up in the computer screen of a diligent evildoer along with an email, that’s is likely all the evildoer may need to help himself or herself to your money as well as all your most intimate and embarrassing secrets. Of course, one might want to use multifactor authentication, but many of those sites one needs to connect online to do not offer this level of security.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          • #2370327
            b
            AskWoody MVP

            There are no email addresses in the 100GB text file of partial passwords being discussed in this thread.

            Windows 10 Pro version 21H1 build 19043.1081 + Microsoft 365 (group ASAP)

            • #2370329
              OscarCP
              AskWoody Plus

              b: “There are no email addresses in the 100GB text file of partial passwords being discussed in this thread.

              There may be no need for that, if a diligent evildoer with access to the additional necessary information that has the time and the means to do this, finds one’s email address in a burglarized account, then in another, and can try connecting the dots by using those sorted out as “most likely to correspond” with a filched password. Or it might be able to proceed more directly, depending on what relevant personal information is already available out there. Given that here is a lot of information out there already on each one of us, thanks to the many companies that track us, snoop on us and keep the personal information they scoop on us in data bases that are, in turned burglarized, their stolen contents then sold to the higher bidders.

              Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

              • #2370332
                b
                AskWoody MVP

                There is no way to determine which of these 82 billion partial passwords is “most likely to correspond” with a particular email address, if any.

                Windows 10 Pro version 21H1 build 19043.1081 + Microsoft 365 (group ASAP)

              • #2370335
                OscarCP
                AskWoody Plus

                For example: using personal stolen data from “snooping” and “tracking” by companies, from the burglarized  data bases kept by them. As I have mentioned already. There is a lot of useful information out there (that shouldn’t be, in a rational world), available to those who can access it and know how to put things together. I am not thinking of pimply teenagers playing cyber-villain from their comfy house dens.

                Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          • #2370337
            bbearren
            AskWoody MVP

            Many sites where one has to register, particularly during the current pandemic, to do online a number of different necessary things many usually done in person someplace outside one’s home, require one’s email address as the User ID.

            I can’t pay my electric bill online because my hometown is not set up for it, still using the billing machines to which they upgraded about 30 years ago.  I can’t pay the man who does my lawn care online because he doesn’t have an online presence for his business.  Every other financial transaction I have is set up for autopay through a credit card which I payoff every month, or through ACH withdrawal from my credit union.

            In other words, I have been doing everything I possibly can online for several years, now.

            So if a password shows up in the computer screen of a diligent evildoer along with an email, that’s is likely all the evildoer may need to help himself or herself to your money as well as all your most intimate and embarrassing secrets.

            The link in the OP only lists passwords, no user ID’s.  Without the user ID, the password of itself is absolutely useless.  As for email address used as a user ID, I have several, and some that are not email addresses.  The “Contact Me” email address at my website, needless to say, not used for anything even close to financial transactions.

            Of course, one might want to use multifactor authentication, but many of those sites one needs to connect online to do not offer this level of security.

            In addition, all my financial accounts are also protected by registering my PC. If someone were to attempt to login to one of my financial accounts from a different PC, they would be thrown into two-factor authentication automatically.

            Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
            "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
            "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      • #2370250
        funhitman
        AskWoody Lounger

        A safer way to check if your email address has been found in a breached database is checking it out at HaveIBeenPwned.com.  Just enter your email into the search field, hit Enter, and you’ll see if and where it’s been in a breached list.

        • #2370433
          doriel
          AskWoody Lounger

          I disagree, please dont. Thats the worst idea by my opinion. Thats against my logic.
          To put your email address somewhere on the internet to find out if you have been “pwned”.
          You cannot be sure, that this is not a fraud to ACTUALLY GAIN YOUR email address and other stuff.

          Thats the perfect case of trying good thing with possibly terryfing outcome.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          • #2370778
            RTEsysadmin
            AskWoody Plus

            My email addresses are probably in tens of millions of databases already. None of them are secret, even if I want to keep them confidential. Once I send someone an email message, my address is out of my control.

            The goal here is to find out how it’s being abused, and haveibeenpwned has proven that it’s trustworthy. Don’t use it if you don’t want to, but others may have decided differently based on facts that you might not care about.

            Group K(ill me now)
            1 user thanked author for this post.
      • #2370259
        Alex5723
        AskWoody Plus

        Another point, my passwords may very well not be entirely unique in themselves.  Someone else (or perhaps more than one) may be using the same letter/number/special character combination for a password for their own user ID

        If you have a 20 char. password and your password is on that list then your user/password has been hacked as there are possible 36 to the 20th Power (13367494538843734067838845976576) combinations.

        • #2370303
          bbearren
          AskWoody MVP

          If you have a 20 char. password and your password is on that list then your user/password has been hacked as there are possible 36 to the 20th Power (13367494538843734067838845976576) combinations.

          The example at the site you linked showed only passwords, not user ID/password combinations.  That one of my passwords might be on that list is irrelevant.

          Without my user ID that corresponds to that password, it does not matter if the password itself is known.  What user ID, what site, etc. all have to come together in order for there to be anything at all about which to be concerned.

          I really don’t care if someone else is using the same password. Without my user ID, it’s just gibberish. In addition, all my financial accounts are also protected by registering my PC. If someone were to attempt to login to one of my financial accounts from a different PC, they would be thrown into two-factor authentication automatically.

          Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
          "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
          "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      • #2370350
        Kirsty
        Manager

        2 users thanked author for this post.
      • #2370408
        ScotchJohn
        AskWoody Plus

        I have been quite impressed at the action taken by Siber Systems, publisher of RoboForm, my password manager of choice since the mid 1990s.  They have scanned this database against my passwords and highlighted where my passwords occur on the “hacked” list.  Pain in the neck, but a good spur to action.

        Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

      • #2370414
        Chris Greaves
        AskWoody Plus

        I have read this thread with consuming interest, and pondered its contents as I bicycled around the village.
        I thought to run a little test of my own.

        Attached is a PrtScr image taken on my laptop about ten minutes ago. It shows the string “2nanvon” generated by my custom-built password generator. I have included a display of the toolbar menu call that caused the string to appear when typed.

        When I run the macro, I would normally be inside my Passwords.doc (not its real name)  and the new password, generated pseudo-randomly according to the date and time that I ran it YYYYMMDDhhmmss would have been dropped into a new table cell for my new account at WhereIStashMyMillions.com (not its real name).

        Here is the test:-
        Now that you know my password (but not, of course, the real online service URL or my user account number), how are you going to use this personal and apparently random password?

        Please preface your reply with “PRO” if you think that publication of eight billion passwords is good for the hackers, “CON” if you think that publication of eight billion and one passwords is NO good for the hackers.

        Thank You
        Chris Greaves (yes, my real name; you could try searching for me on this internet web thingy)

        Unless you're in a hurry, just wait.

        • #2370520
          OscarCP
          AskWoody Plus

          I might answer this already, if not in the required format, here #2370335  and further up.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        • #2370623
          doriel
          AskWoody Lounger

          My answer disapeared. Obviously my opinions are not acceptable since I was deleted few times, apparently I am some sort of conspirator 🙂
          Back to the topic: My answer is CON, good hacker does not need to search the internet through google to know our passwords. Maybe its good for unexperienced hackers, cause the list can be used as dictionary attack right away.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

      • #2370420
        Paul T
        AskWoody MVP

        burglarized  data

        I assume you mean “stolen data”?

        cheers, Paul

        1 user thanked author for this post.
        • #2370522
          OscarCP
          AskWoody Plus

          verb
          past tense: burglarized; past participle: burglarized

          enter (a building) illegally with intent to commit a crime, especially theft.
          “our summer house has been burglarized”

          Yes, PaulK: I am using the word figuratively. (It’s a thing.)

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          • #2370550
            Kirsty
            Manager

            It is a “North American term”, according to the Oxford English Dictionary, hence seen as a “made-up” word from the rest of the English-speaking planet 😉
            The “proper” English (not US English) word would either be burgled or stolen, as @Paul-T suggested.

            • #2370599
              OscarCP
              AskWoody Plus

              Kirsty, You say tomatoes I say … have it your way and I’ll have it mine. Probably in Nigeria they say something else. “English” is an abstraction of a a very diverse linguistic reality. Blame it on the British Empire. If it had not existed, we would not be having this exchange. Or any exchange at all, really. I might be writing in Urdu and you in Cantonese, and good luck with coming to any understanding in a hurry.

              Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          • #2370605
            Paul T
            AskWoody MVP

            verb
            past participle: stolen
            1.
            take (another person’s property) without permission or legal right and without intending to return it.

            A very different meaning.

            cheers, Paul

      • #2370727
        anonymous
        Guest

        Look, there’s a very easy way to use the same password on every site and  still make them unique: salting. Sites in the know append a secret string to all passwords before hashing them. That makes the password database invulnerable to rainbow tables and makes your stolen password useless on any other site, even if they know your userid.

        Use this clever, space exceedingly simple idea yourself. Append the last three characters of the URL (before the .com) to your standard (random) password.

         

      • #2370780
        RTEsysadmin
        AskWoody Plus

        Without user ids, it’s just a bigger dictionary than has been available up to now, but having a bigger dictionary increases the odds of a dictionary attack succeeding.

        I try to use passwords longer than 20 characters whenever possible, but a lot of sites won’t let me use more than 16 — or even, sometimes, only ten — characters. That’s what must change.

        Group K(ill me now)
        • #2371175
          dmt_3904
          AskWoody Plus

          I try to use passwords longer than 20 characters whenever possible, but a lot of sites won’t let me use more than 16 — or even, sometimes, only ten — characters. That’s what must change.

          I totally agree!  Some sites won’t allow me to use more than 8 characters. Ridiculous!  I use a password generator, try to make my passwords at least 20 characters long and try not to use dictionary words.

          • #2371237
            Paul T
            AskWoody MVP

            Dictionary words are fine as long as the password is long and has additional characters. Length is king when it comes to password security because an attacker must test all possibilities up to the length of yours in a guessing attack.

            cheers, Paul

    Viewing 10 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: largest password compilation of all time leaked online with 8.4 billion entries

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.