(Credit: Steven Puetzer via Getty Images)
Earlier this month, a hacker made headlines for circulating a database that contained nearly 10 billion passwords that were leaked or stolen from previous data breaches. However, according to recent analyses, the archive is filled with more junk than useful information.
The database, called RockYou2024, may look like a "goldmine for attackers," but a lot of the compiled passwords appear to be worthless, according to security researcher Ata Hakcil, who examined the 150GB archive for WizCase.
One reason is that many of the passwords are over 20 characters long, which is not typical for most passwords. A large section of the database is also made up of text entries that are 100 to 300 characters long.
(Credit: WizCase/Hakcil)In other cases, the database contains random brand names and terms, such as “Ifco Tokio General Insurance,” “Image Real Estate,” and “Ideal Credit Solution” — a sign that the database pulled random text taken from the internet rather than stolen passwords.
Hakcil also found that if you filter the database to text from six to 12 characters in length, the typical length of a password, the archive shrinks drastically from 9.9 billion entries to 5.9 billion.
(Credit: WizCase/Hakcil)Other passwords were found to be random characters, suggesting they were scraped from a password generator rather than exposed in an actual data breach involving customer information. “As such, most of these passwords probably aren’t being used,” he wrote, later adding: “I highly doubt that you’re in danger from 'RockYou2024' and there’s no need to panic!”
Security researchers at password management provider Specops Software reached the same conclusion. "The dataset is neither useful as a wordlist, nor is it an alleged list of passwords that can be used to attack potential targets. In all honesty, it’s mostly garbage data, and we wouldn’t recommend focusing energy or efforts on it,” they wrote in their own analysis.
The RockYou2024 archive supposedly represents an update to Rockyou2021, which contained 8.4 billion leaked passwords. However, Specops also found the 2024 edition of the archive seems to only have added data from “low-quality sources.” For example, the archive contains millions of entries that span 34 or 38 characters in the Russian language or hashing algorithms rather than actual passwords.
“The value of this dataset as a wordlist in cracking or other attacks is extremely nebulous to nil,” the company added. “The dataset is too large to be of any realistic use as part of any effort to crack a given hash, and there’s simply too much low-quality data to successfully use in attacks.”
Security researcher Royce Williams also examined the database and estimates only 190 million entries in the archive might be new and useful. “So if you're a pentester or other ‘normal’ password cracker, you can probably just skip RockYou2024,” he wrote on Mastodon.
On Twitter, security researcher Troy Hunt, who specializes in cataloging password leaks, added that archives claiming to compile billions of passwords should be regarded with suspicion. "These are not breached passwords, they're merely strings of text collated from all sorts of different sources,” he wrote.
Meanwhile, the hacker who compiled RockYou2024, "ObamaCare," appears to have deleted his original post touting the archive.