14 DAY TRIAL // A list of 10 million passwords accompanied by their usernames have been published by a security expert who seeks advancements in the field of password security study, which would improve the standard of online authentication.
Before making the database public, independent security analyst Mark Burnett cleaned up information that could be used for malicious activities. The researcher used data from thousands of publicly available credential leaks.
Efforts made to eliminate potentially damaging details
Among the measures taken to make sure that the list cannot be taken advantage of by malicious actors was stripping domains from email addresses, which most of the times act as usernames, and mixing in data resulting from leaks from five and ten-year-old cyber incidents.
Also, he removed financial details, company names and the accounts owned by government or military organizations, as far as it was possible. Burnett says that government or military log-ins can be identified if the source and domain name is known.
But credential dumps do not always specify these details and sometimes they are combined with info from other leaks, most often by individuals who want to pass as hackers and compile different databases into a single one, making it appear as if the result were from a new hack they carried out.
Credentials can no longer serve authentication
Adding to the fact that the cache of passwords and usernames is useless for all purposes save research is Burnett’s belief that most of the information is dead, meaning it can no longer serve for authentication.
The arguments provided in support of this are that all data was at one time discoverable through search engines without restriction, it spent sufficient time in the public domain for companies to have changed the passwords and notify their clients, and it is available in multiple locations.
Moreover, public data dumps are monitored by numerous companies specifically to identify user accounts to their services and take preventive actions.
Should some credentials in his database still be valid, Burnett says that it would prove gross negligence from the companies to be unaware of the leaks and not have changed the passwords, given the extensive period of time they’ve been visible online.
“This data is extremely valuable for academic and research purposes and for furthering authentication security and this is why I have released it to the public domain,” Burnett said in a blog post on Monday.
Presenting the action taken to make sure that bad actors cannot use the details is meant to prove that the release is not in violation of any US laws.