Internet websites such as techradar.com and cybernews.com have been reporting that RockYou2021 is the largest password breach ever released, even comparing it to the Compilation of Many Breaches (COMB) breach collection we reported on earlier this year. Headlines include the fact that RockYou2021 has more than twice as many passwords (8 billion) compared to COMB (3.2 billion). However, these websites are glossing over some important facts, either as an intentional exercise to drive visitors and traffic, or because they have failed to understand one important difference between this data and other credential breaches.
The key differentiator here is that RockYou2021 is simply a list of passwords. There are no email addresses or other personally identifiable bits of information associated with this dump, unlike other breaches including COMB which contained a list of carefully curated email addresses coupled with matching passwords. For criminals who use lists of credentials to attack online websites looking to gain access, this is completely useless. A website will lock a user out long before you can try even 10 of these passwords. Without a complete credential. the list is useless for credential stuffing. However, there is one particular use case that indicates why this list was put together in the first place.
We know from operating our own Password Breach Database, that passwords often get used between the same user for different accounts, and that many people often use common passwords. It’s a problem we specifically address with one of our key software solutions. So these headlines immediately set off alarm bells for us because of the extravagantly high numbers quoted. And we know from this database that out of all breaches we’ve ever uploaded that there are only approximately 900 million passwords in circulation. What we do know, is that lists of possible passwords do exist for other reasons that are, whilst not used to gain access to websites, are still used by hackers.
Good password security dictates that your password should never be stored in plaintext on the server of the website you visit, but rather as a hash. This is a one-way process that converts a password such as “ILoveCats!” into a hash of unintelligible characters such as “0B7A6D5” – actual hashes are usually much longer. When checking access to a website, the server will re-apply the same hash algorithm to the password you’ve just entered, if they match the one in the database, then the website knows you have the correct password and allows you to continue. In this way, even if the server database was breached and placed on the internet, all that the attackers would have was a meaningless hash code of your password and not the real thing. To determine what your password is (so that they could try this on your local bank account, instead of the website about cats that they have just breached), an attacker would have to try every combination of known passwords using the hash algorithm until a match is found.
As we can see then, guessing someone’s password from a dumped set of hashes is not easy, but it is still often viable, and this is why lists of passwords such as RockYou2021 exist – not as a list of actual passwords, but as a list of possible guesses to feed into tools that try and guess some of these hashes. There are many threats and breaches to worry about. We can certainly help protect you from these attacks using our Password Security Management and Multi-Factor Authentication products, however, the RockYou2021 breach is not something you need to worry about.
Talk to Authlogics about how you can assess your passwords and secure your logins.