RockYou2024 leak of 10 billion passwords - the biggest password leak ever
https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
https://mashable.com/article/rockyou2024-leaked-password-database

Cybernews researchers discovered what appears to be the largest password
compilation with a staggering 9,948,575,739 unique plaintext passwords. The
file with the data, titled rockyou2024.txt, was posted on July 4th by forum
user ObamaCare.

While the user registered in late May 2024, they have previously shared an
employee database from the law firm Simmons & Simmons, a lead from an
online casino AskGamblers, and student applications for Rowan College at
Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak
with data from Cybernews' Leaked Password Checker, which revealed that
these passwords came from a mix of old and new data breaches.

"In its essence, the RockYou2024 leak is a compilation of real-world
passwords used by individuals all over the world. Revealing that many
passwords for threat actors substantially heightens the risk of credential
stuffing attacks," researchers said.

Credential stuffing attacks can be severely damaging for users and
businesses. For example, a recent wave of attacks targeting Santander,
Ticketmaster, Advance Auto Parts, QuoteWizard, and others was a direct
result of credential stuffing attacks against the victims' cloud service
provider, Snowflake.

"Threat actors could exploit the RockYou2024 password compilation to
conduct brute-force attacks and gain unauthorized access to various online
accounts used by individuals who employ passwords included in the dataset,"
the team explained.

On 2024-07-06 19:28, Mickey D wrote:
>
> "Threat actors could exploit the RockYou2024 password compilation to
> conduct brute-force attacks and gain unauthorized access to various online
> accounts used by individuals who employ passwords included in the dataset,"
> the team explained.

Why Passkeys should be used wherever financial transactions or sensitive
information are concerned. Or at least TFA.

And passwords need to be strong - computer generated is always best.

Otherwise password access should have time outs.

1st time wrong: no delay
2nd time wrong: 1 s delay
3rt time wrong: 2 s delay
4th time wrong: 4 s
5 8 s

10 4 hour delay, then reset to 0 delay.

Brute force login attacks would simply not work.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On 07/07/2024 12:26, Alan Browne wrote:
> On 2024-07-06 19:28, Mickey D wrote:
>>
>> "Threat actors could exploit the RockYou2024 password compilation to
>> conduct brute-force attacks and gain unauthorized access to various
>> online
>> accounts used by individuals who employ passwords included in the
>> dataset,"
>> the team explained.
>
> Why Passkeys should be used wherever financial transactions or sensitive
> information are concerned.  Or at least TFA.
>
> And passwords need to be strong - computer generated is always best.
>
> Otherwise password access should have time outs.
>
> 1st time wrong: no delay
> 2nd time wrong: 1 s delay
> 3rt time wrong: 2 s delay
> 4th time wrong: 4 s
> 5               8 s
>
> 10              4 hour delay, then reset to 0 delay.
>
> Brute force login attacks would simply not work.
>

A better solution would be to use a hashing algorithm like Argon2 that
is designed to be resistant to such attacks. That way, if you get
offline access to a database somehow - which is how these passwords were
derived - cracking takes a stupid amount of time.

Such modern algorithms use things like salting by default as well, which
eliminates rainbow table attacks (pre-computed lists of hashes and their
passwords), meaning you need to perform the slow and expensive
brute-force method.

Also, a timeout would only help with online logins. Offline ones are the
real deal, because you can go ham with no consequence.

That said, your idea of using computer-generated passwords is great. I
use 64-character random passwords generated by KeePassXC. It works
great, except for the websites that want shorter passwords, for some
bizarre reason.

On Sun, 7 Jul 2024 18:27:18 +0100, Gordinator wrote:

> A better solution would be to use a hashing algorithm like Argon2 that
> is designed to be resistant to such attacks.

Can someone who knows let me know WHAT was published online?

Is it people's login and passwords?
Or just a long list of people's passwords?

If it's just a long list of passwords, what good is that?
A dictionary like lookup would work as well, wouldn't it?

On 2024-07-07 15:03, Bill Powell wrote:

> Can someone who knows let me know WHAT was published online?
>
> Is it people's login and passwords?
> Or just a long list of people's passwords?
>
> If it's just a long list of passwords, what good is that?
> A dictionary like lookup would work as well, wouldn't it?

It's just a list of passwords.

Depends on what you mean by "dictionary" as the password list won't have
things that are in any given dictionary (no matter what the kind).

It is usable to verify that your password is not "in there". I wrote a
quick program to do just that - but my passwords are too ridiculous -
never mind anyone figuring the login name and where it's being used.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On 2024-07-07 13:27, Gordinator wrote:
> On 07/07/2024 12:26, Alan Browne wrote:
>> On 2024-07-06 19:28, Mickey D wrote:
>>>
>>> "Threat actors could exploit the RockYou2024 password compilation to
>>> conduct brute-force attacks and gain unauthorized access to various
>>> online
>>> accounts used by individuals who employ passwords included in the
>>> dataset,"
>>> the team explained.
>>
>> Why Passkeys should be used wherever financial transactions or
>> sensitive information are concerned.  Or at least TFA.
>>
>> And passwords need to be strong - computer generated is always best.
>>
>> Otherwise password access should have time outs.
>>
>> 1st time wrong: no delay
>> 2nd time wrong: 1 s delay
>> 3rt time wrong: 2 s delay
>> 4th time wrong: 4 s
>> 5               8 s
>>
>> 10              4 hour delay, then reset to 0 delay.
>>
>> Brute force login attacks would simply not work.
>>
>
> A better solution would be to use a hashing algorithm like Argon2 that
> is designed to be resistant to such attacks. That way, if you get
> offline access to a database somehow - which is how these passwords were
> derived - cracking takes a stupid amount of time.

Having such a list won't help against such.

> Such modern algorithms use things like salting by default as well, which
> eliminates rainbow table attacks (pre-computed lists of hashes and their
> passwords), meaning you need to perform the slow and expensive
> brute-force method.

Indeed, but the issue is the brute force from the outside. (Which also
needs a target site and account name ... already getting very unlikely).

>
> Also, a timeout would only help with online logins. Offline ones are the
> real deal, because you can go ham with no consequence.

That implies they've copied an entire system and are going after info in
it. Since the pw database is (as you mention salted an encrypted) such
an attack will go exactly nowhere with the passwords in the list - esp.
when the salt is derived from other customer data.

> That said, your idea of using computer-generated passwords is great. I
> use 64-character random passwords generated by KeePassXC. It works
> great, except for the websites that want shorter passwords, for some
> bizarre reason.

64 char is overkill. 20 char is much more than sufficient assuming it's
random.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

Alan Browne <bitbucket@blackhole.com> wrote:
> On 2024-07-06 19:28, Mickey D wrote:
>>
>> "Threat actors could exploit the RockYou2024 password compilation to
>> conduct brute-force attacks and gain unauthorized access to various online
>> accounts used by individuals who employ passwords included in the dataset,"
>> the team explained.
>
> Why Passkeys should be used wherever financial transactions or sensitive
> information are concerned. Or at least TFA.

Or, crazy idea, tighten up personal privacy laws like some ridicule the EU
for.

It would certainly crystallise minds if companies risked fines of 10% of
global turnover.

On 2024-07-07 17:39, Chris wrote:
> Alan Browne <bitbucket@blackhole.com> wrote:
>> On 2024-07-06 19:28, Mickey D wrote:
>>>
>>> "Threat actors could exploit the RockYou2024 password compilation to
>>> conduct brute-force attacks and gain unauthorized access to various online
>>> accounts used by individuals who employ passwords included in the dataset,"
>>> the team explained.
>>
>> Why Passkeys should be used wherever financial transactions or sensitive
>> information are concerned. Or at least TFA.
>
> Or, crazy idea, tighten up personal privacy laws like some ridicule the EU
> for.
>
> It would certainly crystallise minds if companies risked fines of 10% of
> global turnover.

I don't disagree with what you wish, but it will have 0 effect on people
with bad security practices and 0 effect on criminals attempting to
break into systems.

The internet grew up from nothing to everywhere all at once and the
security implications lagged that by near 20 years.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

Alan Browne wrote on Sun, 7 Jul 2024 18:40:50 -0400 :

> it will have 0 effect on people with bad security practices

The problem is lots of people have no good way to remember passwords.

What I do, for example, is:
1. I store passwords in a cross-platform encrypted desktop manager
(KeepassXC)

2. I sync the kdbx database periodically keeping the master on the PC.
Note that my passwords almost never are changed on a mobile device.

3. Every platform has a free program to read that kdbx file, I think.
For example, Windows, Linux & macOS can use the KeepassXC passwd mgr.
<https://keepassxc.org/download/>

Android uses, for example, Keepass2Android, but others exist.
<https://play.google.com/store/apps/details?id=keepass2android.keepass2android>

iOS uses KeePassium for example, but others also likely exist.
<https://apps.apple.com/us/app/keepassium-keepass-passwords/id1435127111>

Each time I'm forced to create a login/passwd combination, I type "vipw"
which, on Windows, has for decades, brought up the native password manager.

Each time I need a login/password, I also type "vipw" into Windows, and up
comes that same password manager, with the sort order usually set to LIFO.

But how many people do that?

Alan Browne <bitbucket@blackhole.com> wrote:
> On 2024-07-07 17:39, Chris wrote:
>> Alan Browne <bitbucket@blackhole.com> wrote:
>>> On 2024-07-06 19:28, Mickey D wrote:
>>>>
>>>> "Threat actors could exploit the RockYou2024 password compilation to
>>>> conduct brute-force attacks and gain unauthorized access to various online
>>>> accounts used by individuals who employ passwords included in the dataset,"
>>>> the team explained.
>>>
>>> Why Passkeys should be used wherever financial transactions or sensitive
>>> information are concerned. Or at least TFA.
>>
>> Or, crazy idea, tighten up personal privacy laws like some ridicule the EU
>> for.
>>
>> It would certainly crystallise minds if companies risked fines of 10% of
>> global turnover.
>
> I don't disagree with what you wish, but it will have 0 effect on people
> with bad security practices

I disagree. It will help proactively protect them from themselves. Unlike
the current system in the US where the only response is reactively via law
suits years after people's lives have been affected.

> and 0 effect on criminals attempting to
> break into systems.

Again, disagree. If an org is forced to comply with stricter regulations
regarding data security then that will automatically reduce the target
surface.

However, criminals can be very smart and will change tactics.

> The internet grew up from nothing to everywhere all at once and the
> security implications lagged that by near 20 years.

Which is why we're now seeing more social engineering attacks nowadays that
technical attacks. I'm far less worried about malware today than I used to
be.

On 2024-07-08 03:59, Chris wrote:
> Alan Browne <bitbucket@blackhole.com> wrote:
>> On 2024-07-07 17:39, Chris wrote:
>>> Alan Browne <bitbucket@blackhole.com> wrote:

>>>> Why Passkeys should be used wherever financial transactions or sensitive
>>>> information are concerned. Or at least TFA.
>>>
>>> Or, crazy idea, tighten up personal privacy laws like some ridicule the EU <-- [AAA]
>>> for.
>>>
>>> It would certainly crystallise minds if companies risked fines of 10% of
>>> global turnover.
>>
>> I don't disagree with what you wish, but it will have 0 effect on people
>> with bad security practices
>
> I disagree. It will help proactively protect them from themselves. Unlike
> the current system in the US where the only response is reactively via law
> suits years after people's lives have been affected.

You're talking about "personal privacy laws" which is not directly
related to computer security. One is policy implementation the other is
security implementation.

>> and 0 effect on criminals attempting to
>> break into systems.
>
> Again, disagree. If an org is forced to comply with stricter regulations
> regarding data security then that will automatically reduce the target
> surface.

Now you changed gears (was: [AAA] "personal privacy").

>
> However, criminals can be very smart and will change tactics.

The most successful side is phishing in one form or another - and that
will never stop.

Still - poking around for system security weaknesses will never stop.

Main things server side is _at least_ TFA and better: Passkeys.

>> The internet grew up from nothing to everywhere all at once and the
>> security implications lagged that by near 20 years.
>
> Which is why we're now seeing more social engineering attacks nowadays that
> technical attacks. I'm far less worried about malware today than I used to
> be.

Yet, they hackers keep hacking. And don't forget that any new website
implementation might be especially weak.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

Alan Browne <bitbucket@blackhole.com> wrote:
> On 2024-07-08 03:59, Chris wrote:
>> Alan Browne <bitbucket@blackhole.com> wrote:
>>> On 2024-07-07 17:39, Chris wrote:
>>>> Alan Browne <bitbucket@blackhole.com> wrote:
>
>>>>> Why Passkeys should be used wherever financial transactions or sensitive
>>>>> information are concerned. Or at least TFA.
>>>>
>>>> Or, crazy idea, tighten up personal privacy laws like some ridicule the EU <-- [AAA]
>>>> for.
>>>>
>>>> It would certainly crystallise minds if companies risked fines of 10% of
>>>> global turnover.
>>>
>>> I don't disagree with what you wish, but it will have 0 effect on people
>>> with bad security practices
>>
>> I disagree. It will help proactively protect them from themselves. Unlike
>> the current system in the US where the only response is reactively via law
>> suits years after people's lives have been affected.
>
> You're talking about "personal privacy laws" which is not directly
> related to computer security.

We're talking about data protection - I miswrote when I said personal
privacy - laws. Which for personal digital data requires appropriate
computer security on the side of the data organisation.

> One is policy implementation the other is
> security implementation.

They're part of the same process.

>>> and 0 effect on criminals attempting to
>>> break into systems.
>>
>> Again, disagree. If an org is forced to comply with stricter regulations
>> regarding data security then that will automatically reduce the target
>> surface.
>
> Now you changed gears (was: [AAA] "personal privacy").

I didn't mention AAA. I mentioned EU and by implication, GDPR.

Alan Browne wrote:
> On 2024-07-06 19:28, Mickey D wrote:
>>
>> "Threat actors could exploit the RockYou2024 password compilation to
>> conduct brute-force attacks and gain unauthorized access to various
>> online
>> accounts used by individuals who employ passwords included in the
>> dataset,"
>> the team explained.
>
> Why Passkeys should be used wherever financial transactions or sensitive
> information are concerned.  Or at least TFA.
>
> And passwords need to be strong - computer generated is always best.
>
> Otherwise password access should have time outs.
>
> 1st time wrong: no delay
> 2nd time wrong: 1 s delay
> 3rt time wrong: 2 s delay
> 4th time wrong: 4 s
> 5               8 s
>
> 10              4 hour delay, then reset to 0 delay.
>
> Brute force login attacks would simply not work.
>

My car radio had that in 1990s, enter the PIN wrong and delay increased
each time.

On 07.07.24 01:28, Mickey D wrote:
> RockYou2024 leak of 10 billion passwords - the biggest password leak ever
> https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
> https://mashable.com/article/rockyou2024-leaked-password-database

This is a non-event. Just a compilation of passwords from breaches in
the past.

--
"Mille viae ducunt hominem per saecula Romam." (Alanus ab Insulis 1120-1202)

On Wed, 10 Jul 2024 11:21:31 +0200, J�rg Lorenz wrote:

> This is a non-event.

Nobody needs your opinion, Arlen.

Nick Cine <nickcine@is.invalid> wrote:
> On Wed, 10 Jul 2024 11:21:31 +0200, Jörg Lorenz wrote:
>
>> This is a non-event.
>
> Nobody needs your opinion, Arlen.
>

This is the ultimate insult to Lorenz! Well played!

On 10.07.24 15:58, Nick Cine wrote:
> On Wed, 10 Jul 2024 11:21:31 +0200, J�rg Lorenz wrote:
>
>> This is a non-event.
>
> Nobody needs your opinion, Arlen.

Your post shows that you are a bloody beginner in the Usenet, Arlen.

Path:
eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: Nick Cine <nickcine@is.invalid>
Newsgroups: comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system
Subject: Re: RockYou2024 leak of 10 billion passwords - the biggest
password leak ever
Date: Wed, 10 Jul 2024 07:58:07 -0600
Message-ID: <v6m41f$dvu5$1@solani.org>
References: <v6cjud$1sp0$1@nnrp.usenet.blueworldhosting.com>
<v6ljqr$1rgur$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 10 Jul 2024 13:58:07 -0000 (UTC)
Injection-Info: solani.org;
logging-data="458693"; mail-complaints-to="abuse@news.solani.org"
User-Agent: Usenapp/0.93/l for MacOS - Full License
Cancel-Lock: sha1:OW/2HnHh3wfkDl5Oc/xkpUrBFJM=
X-User-ID:
eJwFwQcBADAIAzBL4xSKHHbwL2EJLCROeiAcg9mpsKqjux+ks0rRK/WWrRzyjRhZrnmFvPwK2RA1
Xref: news.eternal-september.org comp.mobile.android:116605
misc.phone.mobile.iphone:189016 comp.sys.mac.system:196133

And in particular you do not understand what this crap "RockYou2024
leak" is.

--
"Alea iacta est." (Julius Caesar)

On 10.07.24 16:11, badgolferman wrote:
> Nick Cine <nickcine@is.invalid> wrote:
>> On Wed, 10 Jul 2024 11:21:31 +0200, Jörg Lorenz wrote:
>>
>>> This is a non-event.
>>
>> Nobody needs your opinion, Arlen.
>>
>
> This is the ultimate insult to Lorenz! Well played!

My goodness! You are getting really senile, man.

--
"Alea iacta est." (Julius Caesar)

On Wed, 10 Jul 2024 16:39:22 +0200, J�rg Lorenz wrote:

> Your post shows that you are a bloody beginner in the Usenet.

Shut up Arlen. Say something useful for once, you fucking moron.

On 2024-07-09 18:30, Chris wrote:
> Alan Browne <bitbucket@blackhole.com> wrote:
>> On 2024-07-08 03:59, Chris wrote:
>>> Alan Browne <bitbucket@blackhole.com> wrote:
>>>> On 2024-07-07 17:39, Chris wrote:
>>>>> Alan Browne <bitbucket@blackhole.com> wrote:
>>
>>>>>> Why Passkeys should be used wherever financial transactions or sensitive
>>>>>> information are concerned. Or at least TFA.
>>>>>
>>>>> Or, crazy idea, tighten up personal privacy laws like some ridicule the EU <-- [AAA]
>>>>> for. ------ [BBB] --------
>>>>>
>>>>> It would certainly crystallise minds if companies risked fines of 10% of
>>>>> global turnover.
>>>>
>>>> I don't disagree with what you wish, but it will have 0 effect on people
>>>> with bad security practices
>>>
>>> I disagree. It will help proactively protect them from themselves. Unlike
>>> the current system in the US where the only response is reactively via law
>>> suits years after people's lives have been affected.
>>
>> You're talking about "personal privacy laws" which is not directly
>> related to computer security.
>
> We're talking about data protection - I miswrote when I said personal
> privacy - laws. Which for personal digital data requires appropriate
> computer security on the side of the data organisation.

Which is widely practiced by most corps. and not by some.

>> One is policy implementation the other is
>> security implementation.
>
> They're part of the same process.

Not at all. Security is defensive to principally protect the assets and
operations of the company (customer info being assets too);
privacy is many things, but unfortunately it's a commodity to profit
from unless there are laws to contain it.

>
>>>> and 0 effect on criminals attempting to
>>>> break into systems.
>>>
>>> Again, disagree. If an org is forced to comply with stricter regulations
>>> regarding data security then that will automatically reduce the target
>>> surface.
>>
>> Now you changed gears (was: [AAA] "personal privacy").
>
> I didn't mention AAA. I mentioned EU and by implication, GDPR.

[AAA] was a label I added to the text to point to your "personal privacy
laws" mention. Look higher in the thread - it's still there.
Here - I've add BBB to it (above about 10 lines from top).

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On 10.07.24 15:58, Nick Cine wrote:
> Nobody needs your opinion, Arlen.

Arlen. You are a primitive and brain dead Troll.

--
"De gustibus non est disputandum."