Data leaks are an inevitability of the digital age. It's all but impossible to have accounts online without losing some of your passwords to these attacks (which is why using 2FA is so important). But it's one thing to know some of your passwords are out there somewhere; it's another thing entirely to know there are billions of our passwords conveniently rounded up for the taking.
That's exactly what new research seems to suggest: As reported by TechRadar, researchers say they found a text file, called rockyou2024.txt, containing nearly 10 billion unique passwords, all stored in plain text. That means anyone with access could scrape the list as they would a PDF and discover each and every password for themselves.
This was not a project that happened overnight: These passwords were collected over time, from various attacks and leaks over the past 20 years. Attackers added 1.5 billion of these passwords to the file from 2021 to this year alone. The fact that these are all unique, too, means there are no repeats in the list. It's tough to wrap your head around that many passwords.
While it's bad enough that anyone with the list can Command+F their way into searching for any password under the sun, that's not really where the danger lies. It would simply take too long to look for specific passwords to try.
Rather, bad actors can use lists like this one to engage in brute force and credential stuffing attacks. In a brute force attack, bad actors try a large number of passwords in quick succession to try to break into an account. Credential stuffing is similar, but involves using leaked credentials—like known username/password combinations—with other accounts, as people tend to use the same password for multiple accounts. (Please don't do this.)
Bad actors don't run these attacks by hand, of course: They use computers, which can try millions of these passwords in an attempt to break into these accounts. With a database of 10 billion unique passwords, hackers will certainly have a field day running brute force and credential stuffing attacks against both individuals and organizations alike.
Hopefully, organizations take the time to shore up their defenses against attacks like these, but even as individuals, there's quite a bit we can do to protect ourselves.
First, you can use a leaked password checker to see if your credentials are available for bad actors to use, whether that's in this database or elsewhere. If you see that any of your passwords have been compromised, change them immediately.
On that note, make sure you're using a strong and unique password for every single one of your accounts. In the event an account's credentials are leaked, bad actors won't be successful in credential stuffing, as your other accounts won't use that compromised password.
If an account supports passkeys, use that instead, as passkeys have no credentials to leak. If not, use two-factor authentication whenever possible. In the event that bad actors know your credentials, they won't be able to break into your account without access to your trusted device, whether that's a smartphone or an authenticator app.
To manage all these credentials, use a password manager. Not only will a good password manager help you, um, manage your passwords, it should come with convenient security features, like password generators, 2FA codes, and alerts when your passwords are leaked.
