XPost: comp.mobile.android, misc.phone.mobile.iphone, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

RockYou2024 leak of 10 billion passwords - the biggest password leak ever https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/ https://mashable.com/article/rockyou2024-leaked-password-database

Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.

While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an
online casino AskGamblers, and student applications for Rowan College at Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak
with data from Cybernews' Leaked Password Checker, which revealed that
these passwords came from a mix of old and new data breaches.

"In its essence, the RockYou2024 leak is a compilation of real-world
passwords used by individuals all over the world. Revealing that many
passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said.

Credential stuffing attacks can be severely damaging for users and
businesses. For example, a recent wave of attacks targeting Santander, Ticketmaster, Advance Auto Parts, QuoteWizard, and others was a direct
result of credential stuffing attacks against the victims' cloud service provider, Snowflake.

"Threat actors could exploit the RockYou2024 password compilation to
conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,"
the team explained.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.mobile.android, misc.phone.mobile.iphone, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On 2024-07-06 19:28, Mickey D wrote:

"Threat actors could exploit the RockYou2024 password compilation to
conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset," the team explained.

Why Passkeys should be used wherever financial transactions or sensitive information are concerned. Or at least TFA.

And passwords need to be strong - computer generated is always best.

Otherwise password access should have time outs.

1st time wrong: no delay
2nd time wrong: 1 s delay
3rt time wrong: 2 s delay
4th time wrong: 4 s
5 8 s

10 4 hour delay, then reset to 0 delay.

Brute force login attacks would simply not work.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.mobile.android, misc.phone.mobile.iphone, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On 07/07/2024 12:26, Alan Browne wrote:

On 2024-07-06 19:28, Mickey D wrote:

"Threat actors could exploit the RockYou2024 password compilation to
conduct brute-force attacks and gain unauthorized access to various
online
accounts used by individuals who employ passwords included in the
dataset,"
the team explained.

Why Passkeys should be used wherever financial transactions or sensitive information are concerned.  Or at least TFA.

And passwords need to be strong - computer generated is always best.

Otherwise password access should have time outs.

1st time wrong: no delay
2nd time wrong: 1 s delay
3rt time wrong: 2 s delay
4th time wrong: 4 s
5               8 s

10              4 hour delay, then reset to 0 delay.

Brute force login attacks would simply not work.

A better solution would be to use a hashing algorithm like Argon2 that
is designed to be resistant to such attacks. That way, if you get
offline access to a database somehow - which is how these passwords were derived - cracking takes a stupid amount of time.

Such modern algorithms use things like salting by default as well, which eliminates rainbow table attacks (pre-computed lists of hashes and their passwords), meaning you need to perform the slow and expensive
brute-force method.

Also, a timeout would only help with online logins. Offline ones are the
real deal, because you can go ham with no consequence.

That said, your idea of using computer-generated passwords is great. I
use 64-character random passwords generated by KeePassXC. It works
great, except for the websites that want shorter passwords, for some
bizarre reason.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.mobile.android, misc.phone.mobile.iphone, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On Sun, 7 Jul 2024 18:27:18 +0100, Gordinator wrote:

A better solution would be to use a hashing algorithm like Argon2 that
is designed to be resistant to such attacks.

Can someone who knows let me know WHAT was published online?

Is it people's login and passwords?
Or just a long list of people's passwords?

If it's just a long list of passwords, what good is that?
A dictionary like lookup would work as well, wouldn't it?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.mobile.android, misc.phone.mobile.iphone, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On 2024-07-07 15:03, Bill Powell wrote:

Can someone who knows let me know WHAT was published online?

Is it people's login and passwords?
Or just a long list of people's passwords?

If it's just a long list of passwords, what good is that?
A dictionary like lookup would work as well, wouldn't it?

It's just a list of passwords.

Depends on what you mean by "dictionary" as the password list won't have
things that are in any given dictionary (no matter what the kind).

It is usable to verify that your password is not "in there". I wrote a
quick program to do just that - but my passwords are too ridiculous -
never mind anyone figuring the login name and where it's being used.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.mobile.android, misc.phone.mobile.iphone, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On 2024-07-07 13:27, Gordinator wrote:

On 07/07/2024 12:26, Alan Browne wrote:

On 2024-07-06 19:28, Mickey D wrote:

"Threat actors could exploit the RockYou2024 password compilation to
conduct brute-force attacks and gain unauthorized access to various
online
accounts used by individuals who employ passwords included in the
dataset,"
the team explained.

Why Passkeys should be used wherever financial transactions or
sensitive information are concerned.  Or at least TFA.

And passwords need to be strong - computer generated is always best.

Otherwise password access should have time outs.

1st time wrong: no delay
2nd time wrong: 1 s delay
3rt time wrong: 2 s delay
4th time wrong: 4 s
5               8 s

10              4 hour delay, then reset to 0 delay.

Brute force login attacks would simply not work.

A better solution would be to use a hashing algorithm like Argon2 that
is designed to be resistant to such attacks. That way, if you get
offline access to a database somehow - which is how these passwords were derived - cracking takes a stupid amount of time.

Having such a list won't help against such.

Such modern algorithms use things like salting by default as well, which eliminates rainbow table attacks (pre-computed lists of hashes and their passwords), meaning you need to perform the slow and expensive
brute-force method.

Indeed, but the issue is the brute force from the outside. (Which also
needs a target site and account name ... already getting very unlikely).

Also, a timeout would only help with online logins. Offline ones are the
real deal, because you can go ham with no consequence.

That implies they've copied an entire system and are going after info in
it. Since the pw database is (as you mention salted an encrypted) such
an attack will go exactly nowhere with the passwords in the list - esp.
when the salt is derived from other customer data.

That said, your idea of using computer-generated passwords is great. I
use 64-character random passwords generated by KeePassXC. It works
great, except for the websites that want shorter passwords, for some
bizarre reason.

64 char is overkill. 20 char is much more than sufficient assuming it's random.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, comp.mobile.android, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On 2024-07-07 17:39, Chris wrote:

Alan Browne <bitbucket@blackhole.com> wrote:

On 2024-07-06 19:28, Mickey D wrote:

"Threat actors could exploit the RockYou2024 password compilation to
conduct brute-force attacks and gain unauthorized access to various online >>> accounts used by individuals who employ passwords included in the dataset," >>> the team explained.

Why Passkeys should be used wherever financial transactions or sensitive
information are concerned. Or at least TFA.

Or, crazy idea, tighten up personal privacy laws like some ridicule the EU for.

It would certainly crystallise minds if companies risked fines of 10% of global turnover.

I don't disagree with what you wish, but it will have 0 effect on people
with bad security practices and 0 effect on criminals attempting to
break into systems.

The internet grew up from nothing to everywhere all at once and the
security implications lagged that by near 20 years.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, comp.mobile.android, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

Alan Browne wrote on Sun, 7 Jul 2024 18:40:50 -0400 :

it will have 0 effect on people with bad security practices

The problem is lots of people have no good way to remember passwords.

What I do, for example, is:
1. I store passwords in a cross-platform encrypted desktop manager
(KeepassXC)

2. I sync the kdbx database periodically keeping the master on the PC.
Note that my passwords almost never are changed on a mobile device.

3. Every platform has a free program to read that kdbx file, I think.
For example, Windows, Linux & macOS can use the KeepassXC passwd mgr.
<https://keepassxc.org/download/>

Android uses, for example, Keepass2Android, but others exist.
<https://play.google.com/store/apps/details?id=keepass2android.keepass2android>

iOS uses KeePassium for example, but others also likely exist.
<https://apps.apple.com/us/app/keepassium-keepass-passwords/id1435127111>

Each time I'm forced to create a login/passwd combination, I type "vipw"
which, on Windows, has for decades, brought up the native password manager.

Each time I need a login/password, I also type "vipw" into Windows, and up comes that same password manager, with the sort order usually set to LIFO.

But how many people do that?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, comp.mobile.android, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On 2024-07-08 03:59, Chris wrote:

Alan Browne <bitbucket@blackhole.com> wrote:

On 2024-07-07 17:39, Chris wrote:

Alan Browne <bitbucket@blackhole.com> wrote:

Why Passkeys should be used wherever financial transactions or sensitive >>>> information are concerned. Or at least TFA.

Or, crazy idea, tighten up personal privacy laws like some ridicule the EU <-- [AAA]
for.

It would certainly crystallise minds if companies risked fines of 10% of >>> global turnover.

I don't disagree with what you wish, but it will have 0 effect on people
with bad security practices

I disagree. It will help proactively protect them from themselves. Unlike
the current system in the US where the only response is reactively via law suits years after people's lives have been affected.

You're talking about "personal privacy laws" which is not directly
related to computer security. One is policy implementation the other is security implementation.

and 0 effect on criminals attempting to
break into systems.

Again, disagree. If an org is forced to comply with stricter regulations regarding data security then that will automatically reduce the target surface.

Now you changed gears (was: [AAA] "personal privacy").

However, criminals can be very smart and will change tactics.

The most successful side is phishing in one form or another - and that
will never stop.

Still - poking around for system security weaknesses will never stop.

Main things server side is _at least_ TFA and better: Passkeys.

The internet grew up from nothing to everywhere all at once and the
security implications lagged that by near 20 years.

Which is why we're now seeing more social engineering attacks nowadays that technical attacks. I'm far less worried about malware today than I used to be.

Yet, they hackers keep hacking. And don't forget that any new website implementation might be especially weak.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.mobile.android, misc.phone.mobile.iphone, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On 07.07.24 01:28, Mickey D wrote:

RockYou2024 leak of 10 billion passwords - the biggest password leak ever https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/ https://mashable.com/article/rockyou2024-leaked-password-database

This is a non-event. Just a compilation of passwords from breaches in
the past.

--
"Mille viae ducunt hominem per saecula Romam." (Alanus ab Insulis 1120-1202)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, comp.mobile.android, alt.os.linux
XPost: comp.sys.mac.system, alt.privacy

On 2024-07-09 18:30, Chris wrote:

Alan Browne <bitbucket@blackhole.com> wrote:

On 2024-07-08 03:59, Chris wrote:

Alan Browne <bitbucket@blackhole.com> wrote:

On 2024-07-07 17:39, Chris wrote:

Alan Browne <bitbucket@blackhole.com> wrote:

Why Passkeys should be used wherever financial transactions or sensitive >>>>>> information are concerned. Or at least TFA.

Or, crazy idea, tighten up personal privacy laws like some ridicule the EU <-- [AAA]
for. ------ [BBB] --------

It would certainly crystallise minds if companies risked fines of 10% of >>>>> global turnover.

I don't disagree with what you wish, but it will have 0 effect on people >>>> with bad security practices

I disagree. It will help proactively protect them from themselves. Unlike >>> the current system in the US where the only response is reactively via law >>> suits years after people's lives have been affected.

You're talking about "personal privacy laws" which is not directly
related to computer security.

We're talking about data protection - I miswrote when I said personal
privacy - laws. Which for personal digital data requires appropriate
computer security on the side of the data organisation.

Which is widely practiced by most corps. and not by some.

One is policy implementation the other is
security implementation.

They're part of the same process.

Not at all. Security is defensive to principally protect the assets and operations of the company (customer info being assets too);
privacy is many things, but unfortunately it's a commodity to profit
from unless there are laws to contain it.

and 0 effect on criminals attempting to
break into systems.

Again, disagree. If an org is forced to comply with stricter regulations >>> regarding data security then that will automatically reduce the target
surface.

Now you changed gears (was: [AAA] "personal privacy").

I didn't mention AAA. I mentioned EU and by implication, GDPR.

[AAA] was a label I added to the text to point to your "personal privacy
laws" mention. Look higher in the thread - it's still there.
Here - I've add BBB to it (above about 10 lines from top).

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)