Researcher Posts 10M Usernames, Passwords Online
Source: Stephanie Mlot
Security researcher Mark Burnett this week released 10 million of your usernames and passwords on the Internet, but he insists it's for a good cause.
According to Burnett, most of the passwords are dead and unable to be authenticated, so they are largely useless for illegal purposes.
So why release the info? "This data is extremely valuable for academic and research purposes and for furthering authentication security and that is why I have released it to the public domain," Burnett wrote in a blog post.
Plus, you can search the data yourself and see if your password is among those on the Web. If it is, "that means it has already been publicly available for some time," Burnett warned. "You should change your password and enable two-factor authentication if available. Several of my own passwords are on the list as well, I left them there because they are already many places on the Web."
A search tool was built by Michigan-based student Luke Rehmann, according to the Daily Mail. If you're concerned about entering your information into this tool, you are able to search portions of a username or password (like PCM instead of PCMag, for example).
Burnett acquired his password info via samples from thousands of password dumps. Most were collected in the last five years, "although it also includes much older data," he wrote.
In the past, Burnett has declined requests for his password research data. But he had a change of heart since "a carefully selected set of data provides great insight into user behavior and is valuable for furthering password security."
Releasing a list of commonly used passwords is nothing new; SplashData just revealed its annual list last month. But making usernames and passwords public together is a bit more taboo. "Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature" and might catch the eye of federal authorities, Burnett wrote.
Burnett, however, said his intent was "not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity," as is against the law. "The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access," so his move should escape FBI scrutiny, he argued.
For more, see PCMag's lineup of The Best Password Managers.
| }
|