RockYou2021: Largest Ever Password Compilation Leaked | CyberNews
Robert Lewis
Rick Moen
> https://cybernews.com/security/rockyou2021-alltime-largest-password-compilation-leaked/
> Any comments?
Article says:
Considering the fact that only about 4.7 billion people are online,
numbers-wise the RockYou2021 compilation potentially includes the
passwords of the entire global online population almost two times over.
For that reason, users are recommended to immediately check if their
passwords were included in the leak.
To check whether your password is part of this gigantic leak, head
over to the CyberNews personal data leak checker [link] or our leaked
password checker [ink], where we are currently uploading the password
entries from the RockYou2021 compilation.
At the two links, you can type in your passwords, and see if they have a
match in the database of plaintext password entries.
You know what I'd never, ever, _ever_ do? Class? Class? Bueller?
I'd never just type in one of my (significant) passwords into some
random Web CGI. Because, y'know, not born yesterday.
I did make up one, "28skidoo". I got, in all red:
Oh no! Your password has been leaked
It was detected 8 times in leaked databases.
Let's assume the database is accurate. Let's assume (for the sake of
discussion), that 28skidoo is a password I significantly rely on
(somewhere) -- which is of course not actually true. _What do I now know?_
I know that someone, somewhere on this planet or in near space, at some
time, in some context, used 28skidoo as a password for something. I
do not know whose password it was, or for what purpose and in what
context it was valid, or when it was valid.
All I know (if the RockYou2021 compilation is deemed to accurately
reflect security tokens collected from various illicit sources, is that
this password had been used in (at least) eight contexts. Joy.
Article says:
By combining 8.4 billion unique password variations with other breach
compilations that include usernames and email addresses, threat actors
can use the RockYou2021 collection to mount password dictionary and
password spraying attacks against untold numbers of online accounts.
This is tautologically true, but really doesn't change how password
brute-forcing works already. If brute-forcing works 0.01% of the time
against your passwords before the heat death of the universe, you are
terrible at constructing passwords, and need to fix that.
Since most people reuse their passwords across multiple apps and
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
websites, the number of accounts affected by credential stuffing and
^^^^^^^^
password spraying attacks in the wake of this leak can potentially reach
millions, if not billions.
As the old IT joke punchline goes, "Well, Don't Do That, Then."
Something about the topic of security seems to impel a lot of people to
switch their brains off. I don't want to rag on author Edvardas
Mikalauskas. He presumably has a quota of line-inches to fill, and
there _are_ at least ten lines of actual news hidden in that article.
Not very interesting news, but news.
Larry McElhiney
Jeff Liebermann
I looked at the short list of sample passwords in the article and
noticed that it looks very much what might be produced by a random
password generator program. Since the list doesn't seem to have
any duplicates, and the number of entries exceeds the world
population, my guess(tm) is some enterprising teenager wrote a
program to produce random passwords until his disk drive became
full. This is likely for a bogus but salable rainbow table (used
in password cracking). This won't the first time someone has
tried to pass off a computer generated rainbow table as a password
compilation. Bigger is considered better, but too big, like this
one is very suspicious.
https://project-rainbowcrack.com
https://www.ionos.com/digitalguide/server/security/rainbow-tables/
If the list had included user login names and email addresses,
entering it into https://haveibeenpwned.com would likely
show that every person on the planet has had their password
leaked. The problem here is that once an email address is listed
as having an associated password leaked, it's permanent. You can
change the password, but the operators of
https://haveibeenpwned.com
(and other) such sites have no way to know that you changed your
password.
2FA (two factor authentication) is the current fashion in
security. There are various schemes, devices, and apps available
for the purpose. I'm currently using Google Authenticator,
Microsoft Authenticator, and Aegis Authenticator. All of them run
on my Android phone. There are iPhone versions. The way they
work is you first login to a web site with the usual name and
password. The web site then asks you to look at your
authenticator application for a generated random PIN number, which
changes every 60 seconds. You type the number into the web page,
and you're on. If you don't like using an app, the web site can
send you an SMS (text) message with a PIN number. In theory, I
could publish my user name and password to the world, and nobody
could use it unless they have a matching authenticator app.
Unfortunately, there have been ways to intercept PIN numbers sent
via SMS messaging, so I suggest using a good open source
authenticator app for a smartphone.
https://getaegis.app
While I'm ranting on about security, you might be interested in
the following web pages if you have an AT&T, pacbell.net,
sbcglobal.net, yahoo.com, etc account. AT&T manages all these
and recently tightened security by demanding that users mail
clients use OAUTH2 for authentication. Google has been using
OAUTH2 for quite some time. However, it seems that many mail
clients don't work well with either AT&T or Google servers.
I'll spare you my opinion on who screwed up this time. If you are
having password or authentication problems with Google, Yahoo, or
AT&T email, this should "solve" the problem:
https://www.att.com/support/article/email-support/KM1240308/
https://support.google.com/accounts/answer/185833
These custom password workarounds and "solutions" are great
users with a small number of computers and email programs that
need to access a single affected account. Unfortunately, I have a
fairly large number of working machines and devices that I use for
email. This workaround requires a unique application specific
password for each machine and each app. So, this scheme isn't
going to work for me.
Ok, time for lunch. I should probably stop now before the
inevitable endless security discussion ruins my digestion.
-- Jeff Liebermann je...@cruzio.com PO Box 272 http://www.LearnByDestroying.com Ben Lomond CA 95005-0272 Skype: JeffLiebermann AE6KS 831-336-2558
Rick Moen
> I tried several "ancient" passwords which I only use on throw-away access
> (i.e., no personal or financial data) and found them all on the list, but
> Google had been warning me about them for a while. (fourT9ers) is on the
> list.
from what would have resulted from someone taking a bunch of lists of
common words of various types (generically called 'dictionary files' in
the jargon), some heuristics for combining and morphing them with things
like L33Tspeak substitutions, and cranking out a few million supposed
'passwords' programatically. To add believability, merge in a few
existing plaintext password collections, and randomise the line order.
Thus, what was "leaked" didn't have to have any newly revealed passwords
at all, and it would look just like what was reported.
> For folks at home, don't assume that someone will break into your home to
> steal your passwords - they will be after possessions, money, drugs and
> weapons. Keeping a coded notebook in your desk drawer seems much safer to
> me than any Password app or Cloud location.
things written on them. Some of the things written on the post-its are
passwords, but with absolutely no indication about what they are
passwords to -- and none of them is by itself sufficient to unlock your
worktations screensave at the machine at your desk.
Is the threat model of "Person who breaks into my locked house can see
some of my passwords among other text on various post-its, but has no
idea in what context and with what credentials they're usable" a
tolerable threat model? Most people would say yes.
> 2-factor authentication is painful, but works.
https://www.jwz.org/blog/2018/07/two-factor-auth-and-sms-hijacking/
https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber
In particular, 2FA using SMS is just dreadful, and that's what it turns
out to be, most of the time.
> Passphrases are a better approach.
http://linuxmafia.com/faq/Security/breakin-without-remote-vulnerability.html
That was theft of a passphrase, via trojaned /usr/bin/ssh.
If you were to speculate that the unnamed employer was VA Linux Systems,
Inc., and that the security-compromised public shared host was
shells.sourceforge.net, I would say 'Hmm, no comment.'
--
Cheers, Grammarian's bar joke #22: The past, present,
Rick Moen and future walked into a bar. It was tense.
ri...@linuxmafia.com
McQ! (4x80)
B Reiss
Larry McElhiney
Jeff Liebermann
> I certainly don't want to ruin Jeffs digestion, but a question.
> Anyway, net question, has anyone implemented a hardware key based
> system? How did it work for you? And what all were you able to do with it?
keeping the servers at a medical office running. This was in the early
days of HIPPA:
https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
which required that medical service providers secure their patients
data. Guidelines were provided, which offered clues, but no real
solutions on how to do this. Someone decided that it would be a good
idea to issue USB flash drives to everyone that needed to login to the
system, which would authenticate the user with an X.509 certificate on
the USB flash drive. There were about 150 people in one main and four
remote offices. This was not my area of involvement but I was allowed
to watch the fun.
The first problem was distributing the keys to the intended recipients.
One might think that this is a trivial problem. Just have someone walk
around the office, find the designated person, fill out a form, sign on
the line, and hand them their pre-activated USB key. Nope. Ever try to
interrupt someone in a medical office? Ever try to get a doctors
attention? Never mind that everyone there hates computers and at best
considers them to be the work of the devil. So, the keys were initially
distributed by USPS snail mail. I don't know exactly how many keys were
sent, but judging by the growing number of revoked certificates, a fair
number of USB keys disappeared or were lost. I never received mine.
The revoked certificate list also grew for another reason. As a group,
medical professionals are not very organized. They regularly leave
their USB key at home. They would arrive at the office and find that
they can't access patient records. So, USB keys were passed around
between doctors and staff sufficiently to make cleaning up the rights,
permissions and authorizations a regular weekend event. It was not
unusual for doctors to be denied access to their own patient records.
This weekend cleanup became a problem for me since I did most of my
server maintenance on weekends and there was always someone working on a
weekend cleaning up the mess.
To solve this problem, it was decided that everyone should leave their
USB keys at the office. That actually worked fairly well, until people
started working at home via dialup modems and until the office failed a
security audit.
There were plenty more problems with the system, most of which I can't
talk about. As I vaguely recall, it was eventually replaced by a one
time password generating key fob:
https://www.google.com/search?q=one+time+password+generator+key+fob&tbm=isch
and later by an authenticator app running on a laptop or smartphone.
Good luck with hardware key systems and time for an anti-acid pill.