Home / Software & Gaming / Security / Researcher unveils 10 million people’s passwords

Researcher unveils 10 million people’s passwords

If you have been using the same password for years, then perhaps this will encourage you not to. A researcher by the name of Mark Burnett, has released a list of over 10 million passwords and usernames which he was able to harvest in clear text from various websites and forums around the internet. While this might seem like your average attempt at spreading mischief by a nefarious individual, Barnett did it in the hopes that people will see how common some passwords are and therefore encourage them not to use any of the ones found on his list.

“Frequently I get requests from students and security researchers to get a copy of my password research data,” Burnett said on his blog. “I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain.

passwords2

Despite endless efforts by security professionals and computer savvy nephews the world over, a lot of people still make use of simple passwords like “1234,” and “password,” or their favourite pet's name if they're getting especially clever. None of these are good enough of course and Burnett wants people to understand that more than ever.

As educational as Barnett wants this release to be however, he has stressed that he would rather not be arrested for it. The giant blog entry that goes with it spends most of its time pointing out why that shouldn't happen.

For those wishing to look at the list, you can download the file from his magnet link here.  It is a 180MB text file though. Good luck opening it without some finagling.

KitGuru Says: Use a password saving tool people. It makes life a lot easier and takes a load off your mind when you can store all sorts of impossible to remember passwords in there. Just make sure you will always remember your master password. 

Image source: Dev Arka

Become a Patron!

Check Also

Nvidia driver update fixes crucial security vulnerabilities

Nvidia GeForce, RTX, Quadro, NVS and Tesla GPU users will want to update their drivers soon. Nvidia has pushed out a hotfix with a number of critical security fixes that if left unfixed, could allow for unauthorised access to systems. 

22 comments

  1. Can someone please pastebin this! Would love to be able to scan through it and see if i’m in the list!

  2. I tried to Pastebin it, but every time it crashed for several minutes, then nothing was put into pastebin, just recovered empty, I tried it going 500,000 at a time, still crashed. Also the text file causes Notepad++ to lag..

  3. While he did this for educational purposes, this was a stupid move. 10 million passwords? Not all of those are simple, and this likely caused a serious security breach (imagine if your password was on there, and you didn’t know about this… How many people now have your password?)

  4. I cant access the list right now but I doubt he gave the username and corresponding password…

  5. I always wonder about “Password saving tools” what if someone gets your login for that? Then everything will be gone in one go!

  6. Not quite. The program should encrypt your password with at least 128 bit AES. This dump shows how you can’t trust basic sites with your data and how some people are stupid.

  7. So according to the document, there are 235 users that actually use the word ‘c*ck’ as their password and 3381 users that use the word ‘p*ssy’ as their password. Bravo.

  8. That is true. I still dislike the fact that he gave out so many passwords though…

  9. Unless you’re a nut and don’t have an averagely secure password consisting of numbers spaces and letters, you practically deserve it.

  10. How did anyone get this to open! It kills notepad.

    *EDIT*

    Going to try and run it off my SSD, this should be interesting.

    *EDIT*

    SUCCESS! For anyone trying to open it, run it from an SSD and use Notepad++ not word or Notepad.

  11. for lastpass it has. no encryption once you use the master password…Even a option in most of them to save all your passwords in a text file… its why your masterpassword should be creative long and written on paper .. The best thing about password tools is your forced into different passwords for each site.. so if somebody gets the db on one site you are not screwed for all your other sites..if you happen to use the same user name and password..or email……… ….

  12. Roger Sutton-Cimorelli

    A lot of websites don’t allow you to have spaces in your password do they? ^

  13. Well that’s for browsers storing it. A website should store it using SHA-1 or some other method which cannot be decrypted without the password. That way even if someone gets the DB from a website, they can’t do anything with it.

  14. RJ Tomasko Fireworks

    Worked for me(;
    Very interesting!

  15. i use passwords like g6q21YHnnnQE7rth :3

  16. I opened it with notepad,and it worked, i even did a CTRL+L to see if the first 3 letters of my passwords were there 🙂

  17. But if you discover the password for the program you know the algorithm for decryption!

  18. Simple people need to quit being dumb, and need to make up a password with at least 12 caracters, with lower and uppercase letters symbols and numbers all mixed up with no logical order…

  19. Don’t trust them if someone can discover your password for it, he can most probably crack the program itself so you’re fucked, because there goes your master password and the decryption keys for the rest…

  20. Just open it in a hex editor, doesn’t matter what device you have stored it on as they are designed to operate with very large files.

  21. actually it was really not smart to post the txt.. its not that you can use these passwords, its now someone has a huge list of passwords that they can use to brute crack passwords using a dictionary attack. if one person is using it, someone else might be.

  22. I checked the file, and it seems like he did.