Authlogics Authlogics
  • Solutions
    • Password Security Auditing
    • Password Policy Compliance
    • Password Breach Database
    • Passwordless Authentication
    • Deviceless OTP
    • Single Sign-On
    • Cloud Protection
      • Amazon Web Services
      • Azure and Office 365
    • Helpdesks
    • Retail Banking
    • Transaction Verification
  • Products
    • Password Security Management
    • Multi-Factor Authentication
      • Authenticator Mobile App
      • PINgrid
      • PINphrase
      • PINpass
      • Yubikey
    • System Agents
      • ADFS Agent
      • Domain Controller Agent
      • Exchange Agent
      • Remote Desktop Agent
      • Windows Desktop Agent
  • Resources
    • Demonstration
    • Whitepapers
    • Datasheets
    • Case Studies
    • Use Cases
    • Pricing
    • Blog
    • Accolades
    • UK Government: G-Cloud
  • Partners
    • Find a Reseller
    • Find a Distributor
    • Technology Partners
    • Become a partner
    • Password Security Portal
  • Company
    • Contact Us
    • Intellectual Property
    • About Us
  • Support
    • Downloads
    • Documentation
    • Knowledge Base
    • Community
    • Log a call
Authlogics Authlogics
  • Solutions
    • Password Security Auditing
    • Password Policy Compliance
    • Password Breach Database
    • Passwordless Authentication
    • Deviceless OTP
    • Single Sign-On
    • Cloud Protection
      • Amazon Web Services
      • Azure and Office 365
    • Helpdesks
    • Retail Banking
    • Transaction Verification
  • Products
    • Password Security Management
    • Multi-Factor Authentication
      • Authenticator Mobile App
      • PINgrid
      • PINphrase
      • PINpass
      • Yubikey
    • System Agents
      • ADFS Agent
      • Domain Controller Agent
      • Exchange Agent
      • Remote Desktop Agent
      • Windows Desktop Agent
  • Resources
    • Demonstration
    • Whitepapers
    • Datasheets
    • Case Studies
    • Use Cases
    • Pricing
    • Blog
    • Accolades
    • UK Government: G-Cloud
  • Partners
    • Find a Reseller
    • Find a Distributor
    • Technology Partners
    • Become a partner
    • Password Security Portal
  • Company
    • Contact Us
    • Intellectual Property
    • About Us
  • Support
    • Downloads
    • Documentation
    • Knowledge Base
    • Community
    • Log a call
RockYou Password Leak

Should I be worried about the RockYou2021 Password Leak?

Kate Wotherspoonon 9th June 2021

Internet websites such as techradar.com and cybernews.com have been reporting that RockYou2021 is the largest password breach ever released, even comparing it to the Compilation of Many Breaches (COMB) breach collection we reported on earlier this year. Headlines include the fact that RockYou2021 has more than twice as many passwords (8 billion) compared to COMB (3.2 billion). However, these websites are glossing over some important facts, either as an intentional exercise to drive visitors and traffic, or because they have failed to understand one important difference between this data and other credential breaches.

 

The key differentiator here is that RockYou2021 is simply a list of passwords. There are no email addresses or other personally identifiable bits of information associated with this dump, unlike other breaches including COMB which contained a list of carefully curated email addresses coupled with matching passwords. For criminals who use lists of credentials to attack online websites looking to gain access, this is completely useless. A website will lock a user out long before you can try even 10 of these passwords. Without a complete credential. the list is useless for credential stuffing. However, there is one particular use case that indicates why this list was put together in the first place.

 

We know from operating our own Password Breach Database, that passwords often get used between the same user for different accounts, and that many people often use common passwords. It’s a problem we specifically address with one of our key software solutions. So these headlines immediately set off alarm bells for us because of the extravagantly high numbers quoted. And we know from this database that out of all breaches we’ve ever uploaded that there are only approximately 900 million passwords in circulation. What we do know, is that lists of possible passwords do exist for other reasons that are, whilst not used to gain access to websites, are still used by hackers.

 

Good password security dictates that your password should never be stored in plaintext on the server of the website you visit, but rather as a hash. This is a one-way process that converts a password such as “ILoveCats!” into a hash of unintelligible characters such as “0B7A6D5” – actual hashes are usually much longer. When checking access to a website, the server will re-apply the same hash algorithm to the password you’ve just entered, if they match the one in the database, then the website knows you have the correct password and allows you to continue. In this way, even if the server database was breached and placed on the internet, all that the attackers would have was a meaningless hash code of your password and not the real thing. To determine what your password is (so that they could try this on your local bank account, instead of the website about cats that they have just breached), an attacker would have to try every combination of known passwords using the hash algorithm until a match is found.

 

As we can see then, guessing someone’s password from a dumped set of hashes is not easy, but it is still often viable, and this is why lists of passwords such as RockYou2021 exist – not as a list of actual passwords, but as a list of possible guesses to feed into tools that try and guess some of these hashes. There are many threats and breaches to worry about. We can certainly help protect you from these attacks using our Password Security Management and Multi-Factor Authentication products, however, the RockYou2021 breach is not something you need to worry about.

Talk to Authlogics about how you can assess your passwords and secure your logins.

info@authlogics.com

+44 1344568900

in Business, Data Breach, Password, Security
tags: Authlogics, cybersecurity, data breach, Identity, news, Password, password security
  • Previous

    This should be the last World Password Day!

  • Next

    What can breached passwords tell us? With the Euros underway, they can tell us to stop and think

Recent Posts

  • Top Ten Universities Vulnerable to Data Breaches and Need Better Password Education
  • Strong Leaders Don’t Have Strong Passwords
  • If You Do One Thing on World Password Day, Find Out How Many of Your Passwords are Being Shared Around the World
  • The Road to Password Hell is Paved with Good Intentions
  • ARTICLE: When cutting costs on defending your networks isn’t an option

Recent Comments

  • Top Ten Universities Vulnerable to Data Breaches – The ID Bulletin on Password Security Management
  • The highway to password hell is paved with good intentions - Andre HOT on Have you been Pwned? Most likely
  • The street to password hell is paved with good intentions - Trend Directory on Have you been Pwned? Most likely
  • The highway to password hell is paved with good intentions - Theopenlab on Have you been Pwned? Most likely
  • The highway to password hell is paved with good intentions - Lecheyre.ch on Have you been Pwned? Most likely

Archives

  • June 2022
  • May 2022
  • March 2022
  • February 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • February 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • May 2020
  • April 2020
  • February 2020
  • January 2020
  • December 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • January 2019
  • September 2018
  • January 2018
  • October 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015

Categories

  • Authentication
  • Awards
  • Business
  • Compliance
  • Customer Experience
  • Data Breach
  • Download
  • Implementation
  • Management
  • Marketing
  • Multi Factor Authentication
  • Password
  • Password Replacement
  • Password Security
  • Passwordless Authentication
  • PIN
  • Predictions
  • Remote Working
  • Security
  • Single Signon
  • Strategy
  • Uncategorised

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Contact us

UK: +44 1344 568 900
US: +1 408 706 2866

sales@authlogics.com
info@authlogics.com

Visit us

329 Doncastle Road, Bracknell,
Berkshire, RG12 8PE, UK

Map it »

1551 McCarthy Blvd, Suite 215,
Milpitas, CA, 95035, US

Map it »

Follow on

Legal information

Privacy Policy
© Authlogics Ltd. All Rights Reserved.