If you’ve been following the news in recent days, you may have paid some attention to the release of a alleged leak of 8.4 billion passwords. This sort of thing is important, but in this case there’s nothing to be alarmed about: so far, no evidence of a mega-leakage of passwords has been found.
This is a teapot storm, then? Is what it seems.
RockYou2021: a 100GB file
This plot started when a participant in a hacker forum posted a file about 100 GB in size and named rockyou2021.txt. Apparently, the name RockYou2021 is a reference to the leak of 32 million passwords that occurred in 2009 that became known as RockYou.
The posting user reported that the file is a compilation of over 82 billion passwords. However, a filtering done by the site CyberNews — the vehicle that started this story — found that the file actually contains 8.4 billion supposedly leaked passwords.
This is a much smaller number, but still high and represents almost twice the amount of people accessing the internet worldwide (4.7 billion people, it is estimated). That’s why, in a matter of hours, the subject made the news.
But a little more careful analysis reveals that such a list of passwords is not as much of a concern as it appears to be, for a number of reasons.
There is no reason to panic
For starters, the passwords included in the file apparently correspond to a compilation of previous leaks, including COMB, a list of 3.2 billion allegedly leaked passwords that began circulating on the internet this year, a detail that indicates there have been no new leaks. .
Of course 3.2 billion passwords is a number of concerns, but in RockYou2021 these combinations were not associated with emails, user accounts or other information. Alone, passwords are nothing more than character sets.
In addition, the poster himself warned that the file removed spaces and certain special characters from the list. This, in itself, invalidates most of the possibly true combinations.
Have more. Troy Hunt, security expert and creator of Have I Been Pwned, pointed out on Twitter that the list actually consists of a large set of words. According to him, most of them were never used as passwords (that is, there was never evidence of this form of use for them).
Hunt also points out that the list contains “among other things, ‘all the words from the Wikipedia database’ and words from the Project Gutenberg collection of free e-books.”
These lists can be used in attacks that try to discover passwords by testing numerous combinations in sequence, for example. But that doesn’t mean that they all correspond to passwords in use.
Basic care is still valid
The only use that all this alarmism can do—if any use is to be made of it—is to remember that basic password precautions are still valid.
Creating passwords that combine uppercase and lowercase letters with numbers and special characters is one of the most important precautions, as well as avoiding using the same combination in more than one service.
Equally important is enabling two-factor authentication (2FA) for all services that offer this option.
If everything is ok with the way you handle this aspect, no, there is no need to rush to change all your passwords because of this RockYou2021 thing.