Tech by VICE

The Man Who Published 10 Million Real Usernames and Passwords Defends Himself

'People don't realize that hundreds of thousands of passwords are hacked and released every day.'

by Jason Koebler
Feb 11 2015, 1:45pm

​Image: ​Peter Van Lancker/Flickr

​Mark Burnett didn't release a list of 10 million real usernames paired with 10 million real passwords in order to flaunt an outdated and overly broad law governing hacking—he did it to teach us something about other people's security, of which we know very little about.

It's true that Burnett, a security researcher and author of Perfect Passwords, is concerned about being prosecuted under the Computer Fraud and Abuse Act. ​Much of the coverage has focused on the legality of what he has done. But he didn't do it to take some sort of stand—Burnett wouldn't have published the data (which was all already available, in smaller doses, on many publicly accessible websites) if he didn't think that we suck at making passwords in the first place.

Burnett told me that we know a heckuva lot of nothing about how people think up their passwords. And publishing massive lists of passwords alone, which is commonplace in research, isn't really helping us.

"People don't realize that hundreds of thousands of passwords are hacked and released every day"

"It makes sense to me to release it with the username. We have list after list of the top password lists and characters people use," he told me. "But it's important to study how usernames and passwords collate. A lot of the common passwords are also common usernames. A lot of passwords are just usernames backward."

Not everyone has quite seen where he's coming from. 

"The reaction has definitely been a mixed bag. Someone just called me an 'irresponsible cunt' in the comments a minute ago," he told me. "Others have seen why it's important work."

Burnett removed domain information from people's emails and took out as many identifying characteristics he could. He said he also worked with several major companies, including Amazon, to have them notify their users if any of their accounts were compromised. Some Amazon customers received this email as a result of the project:

"As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. So we have taken the precaution of resetting your Amazon password."

Most of the passwords, Burnett says, are more than 10 years old and should, in theory, be dead.

"If a hacker needs this list to hack someone, they probably aren't much of a threat"

Burnett has written that anyone who actually needs a password list like this to do damage probably can't do much. It has been downloaded many thousands of times already—surely not all of them are researchers.

"If a hacker needs this list to hack someone, they probably aren't much of a threat," ​he wrote.

Some have thanked Burnett for calling attention to the Computer Fraud and Abuse Act, which was enacted in 1986 and was used to prosecute Barrett Brown, a de-facto spokesperson for Anonymous who copy and pasted a link to hacked emails from the security firm Stratfor: "The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access," he wrote under a heading called "why the FBI shouldn't arrest me."

Brown was eventually convicted and sentenced to more than five years in prison for related charges, but was aggressively prosecuted (and threatened with more than 100 years in prison) for violating the act.

Shining light on that act was part of the whole project for Burnett, but it wasn't the main impetus."It's a big issue. I'm not really afraid, but it is a concern that the FBI could come after me," Burnett said. "My wife is a little angry with me for doing it."

"The main thing is here, I'm putting out this data to get it to the researchers who can use it," he added. And that's a point that many are missing. Commenters have said he's "damaging the security of the world," have said they wish they could arrest him themselves, and have said many, many worse things I don't feel like repeating here.

"People don't realize that hundreds of thousands of passwords are hacked and released every day. It isn't anything new, and these people should be made aware of it," he said.

"Say what you want about security tokens and biometrics, but we still rely very much on passwords," he added. "It's important to understand how they work and it's important for people to learn how to protect themselves."