Reports on a new password leak made headlines at the beginning of June 2021 and led to widespread panic over the security implications of the leak, dubbed the largest in history with 8.4 billion compromised passwords. According to reports, a 100GB file was leaked on a popular hacker forum on 8th June by a user who initially claimed the file contained 82 billion password entries. However, upon analysis the number of entries appeared to be ten times lower. The post author added that all passwords consisted of 6-20 characters, with non-ASCII characters, and white spaces removed. The file had been named RockYou2021, potentially referring to the 2009 data breach of the social application RockYou, which resulted in 32.6 million credentials being compromised following a SQL Injection attack. It is reported that the Rockyou2021 file contains the 32.6 million credentials from the RockYou 2009 breach, in addition to the 3.2 billion compromised passwords contained in the Compilation of Many Breaches (COMB) file leaked at the beginning of 2021. Following news of RockYou2021 numerous blogs urged users to immediately change their passwords. It was later revealed that RockYou2021 had been severely misunderstood and misreported by the media.

What is actually RockYou2021?

The RockYou2021 file was put into context by the cybersecurity expert Troy Hunt. On Twitter he explained that RockYou2021 is actually not a list of 8.4 billion breached credentials, and that the file does not offer anything new or unique. In fact, the 100GB file appears to be a compilation of old password leaks, probable and commonly-used passwords, and wordlists. According to Hunt, and as later confirmed by other experts, the compilation only contains a small portion of already-known breached passwords, while the majority of the 8.4 billion entries have never been passwords, and consist of wordlists and potential passwords. Wordlists have become popular tools used by cybercriminals to crack and guess passwords and take over online accounts. As the name suggests, these lists typically contain words from dictionaries with common character variations, in addition to common and previously exposed passwords. These tools can be used by bad actors to perform dictionary attacks, a brute-force technique where the attacker tries to guess a user’s password by using common pre-selected words and phrases taken from the wordlist. Wordlists can also be helpful for cybercriminals when performing password spraying attacks, where the bad actor attempts to access online accounts by trying one single common password or word against a high number of accounts, before moving to a second attempt with a different word. An additional use for wordlists is as cracking dictionaries, as these lists can be used to figure out hashed passwords. This can be done by calculating the hash for all the words present in the file, and by then comparing these hashes to the hashed password the bad actors is trying to crack to see if they match. If the original password is a simple word that can be found in the dictionary, the bad actor will be able to figure it out and compromise the account.

Why are strong passwords important?

The attacks abovementioned are typically successful, especially since users often re-use the same passwords, or slight variations of them, and often do not change them following a leak. It is estimated that over 80% of people re-use their passwords across multiple platforms including social media, online banking and work environments. Weak and easy-to-guess passwords like sequential letters or numbers, common names and simple phrases or words, make these attacks even more successful. Data collected by White Blue Ocean shows that at the start of 2021 among the list of most common passwords appeared ‘value’, ‘123456’, ‘123456789’, ‘qwerty’, ‘password’, ‘12345’, ‘querty123’, ‘111111’, ‘DEFAULT’ and ‘abc123’. Other common passwords included simple words like ‘computer’, ‘princess’, ‘football’ and ‘sunshine’, popular phrases like ‘iloveyou’, proper names like ‘michael’, ‘ashley’ and ‘david’, and easy-to-guess number combinations or repetitions like ‘222222’. While using simple passwords might appear like a practical way to help users remember them, it also leads to a high security risk for users and their systems.

Creating strong passwords

The most effective defence against brute force attacks or password cracking is to create passwords that are difficult to figure out. To do this, users should aim for unique passwords and steer clear from using popular words, sequential numbers and letters, common patterns, and personal information like name or date of birth. The length of a password is also an essential factor, as longer passwords take more time and computational power to crack. Adding mixed characters is also fundamental when creating a strong password, so it is recommended to use not only upper-case and lower-case letters, but a mix of numbers and symbols as well. One of the most important aspects to remember is to not re-use passwords across different platforms, so that if bad actors figure out the password to one account they will not be able to compromise other accounts. Passwords should also be routinely updated, and it is recommended to enable multi-factor authentication where possible, in order to add an extra layer of protection. The task of creating and remembering strong and unique passwords for multiple accounts might seem daunting to users. Password managers are effective tools to help both create strong passwords and to store passwords for different accounts in a single and secure location. Following these few steps will help to create a strong password, essential to prevent bad actors from gaining unauthorised access to your online accounts.

Reference list:

https://www.teiss.co.uk/rockyou2021-data-leak-8-4-billion-passwords-compromised/

https://www.itechpost.com/articles/105916/20210608/rockyou-2021-breach-exposes-8-4-billion-passwords-check-now.htm

https://cybernews.com/security/rockyou2021-alltime-largest-password-compilation-leaked/

https://www.coalfire.com/the-coalfire-blog/march-2019/password-spraying-what-to-do-and-how-to-avoid-it

https://restoreprivacy.com/rockyou2021-password-leak-word-list/

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/dispelling-rockyou2021/

https://www.enzoic.com/rockyou2021/

https://www.enzoic.com/password-cracking-dictionaries/

https://specopssoft.com/blog/what-is-password-dictionary-attack/

https://chris.partridge.tech/2021/rockyou2021.txt-a-short-summary/

https://securityboulevard.com/2021/06/dispelling-rockyou2021/

https://www.privacysharks.com/rockyou2021-largest-password-breach-in-history-wasnt-a-breach/

https://www.theguardian.com/technology/blog/2009/dec/15/rockyou-hacked-passwords