Here Are 306 Million Passwords You Should Never UseDefend Against Credential Stuffing Using Massive Data Set Shared by Troy Hunt
More than 1 billion compromised usernames and passwords are floating around on lists on the internet. That's bad news for anyone running an online service. Sooner or later, a hacker will use details on the lists to attempt to take over accounts.
Unfortunately, a lack of user-friendly alternatives to usernames and passwords for authentication means nothing is going to change much soon. Although two-factor authentication can block the recycling of known credentials, its use is still far from widespread.
But Troy Hunt, a security expert who runs the Have I Been Pwned data breach notification service, has an idea to help organizations prevent people continuing to use their own compromised passwords or selecting ones that have been leaked.
His effort is aimed at companies battling what's known as "credential stuffing. That's when hackers cycle through the lists trying to find combinations of credentials that unlock someone's account. Credential stuffing has been fueled over the last few years by large breaches at LinkedIn, MySpace, Dropbox and many more (see 'Historical Mega Breaches' Continue: Tumblr Hacked).
Companies contact him nearly every other day saying they are getting "hammered" by use of the password lists, Hunt says. While there are defensive actions services can take, there's ultimately no good defense against a hacker who has valid user credentials.
"Credential stuffing is just becoming enormously destructive at the moment," Hunt says. "It is a very, very hard problem."
Hunt has a gigantic trove of usernames and passwords from dozens of data breaches. Have I Been Pwned allows someone to see if their email address has appeared in a breach, and if so, details which breach.
But Hunt doesn't let people see the password that was used for the particular compromised service. He also doesn't allow people to see passwords or hashes of passwords en masse, for security reasons.
His idea, though, judiciously reverses his stance. Hunt is making available SHA1 hashes for 306 million unique passwords he's collected, but not with the associated usernames or email addresses.
The 306 million passwords encompass more than 1 billion compromised accounts. The data comes from rich sources, including the Exploit.in and Anti-Public lists. Both of those lists were massive mash-ups of stolen data covering just over 1 billion email addresses.
Hunt calls the service Pwned Passwords. Service providers can use the data in their back-end systems with the aim of improving the state of password security. Hunt has made a 6GB file available with the data.
For example, if someone is registering a new account, a service provider can compare the chosen password and warn the individual that the password has been compromised before. At that point, the person can be strongly encouraged or forced to choose a more secure password.
In another scenario, if a service provider prompts people to change their passwords, a warning can be displayed that informs them their previous password has been compromised. Since people often reuse passwords, it's good advice to change it to prevent further problems.
"What's going to make this [Pwned Passwords] unique is that I'm not aware of anywhere else where there is this massive amount of previously used credentials available," Hunt says.
He's also going to let anyone check their passwords via the Have I Been Pwned web service, but he recommends that they only check passwords they no longer use.
"The intention is to use that in a retrospective fashion," he says.
Improved Password Guidelines
Hunt's idea comes, in part, from revised password guidance from the National Institute of Standards and Technology and the U.K.'s National Cyber Security Centre.
Updated guidance from both organizations upends the conventional password wisdom that's been applied for many years, Hunt says. Those recommendations include not blocking password managers and forbidding people to paste passwords into fields, an action commonly done if a password manager fails to automatically fill in details.
Some other commonly enforced password rules, such as using a minimum of eight characters along with special characters, have also been debunked. The institutions are also recommending against banning pass phrases, which often have a higher entropy and are more secure, as illustrated by XKCD's brilliant "correcthorsebatterystaple" example.
"It's stuff that made sense in a bygone era but doesn't make sense today," Hunt says.
NIST's Digital Identity Guidelines, released in June, recommends blocking passwords that have previously appeared in breaches. It also advises against approving repetitive or sequential characters or context-specific words, such as passwords that include the name of the particular online service.
With Hunt's service, organizations may be able to put this into practice.