There have also been a number of very large password dumps with tens of millions of passwords in a single dump. I am now able to manually collect 10–20 million unique passwords per year simply from paste sites and forums. However, in the last 5 years things have changed tremendously. In fact, it took me almost 10 years to collect just 6 million unique username/password combos (and at the time I thought that was huge). In the past I have used a number of scripts to scrape the web, forums, IRC, Usenet, and P2P sources to get even 1,000 new passwords per day. I have been collecting passwords for about 15 years. Here are some examples of bad password data: How was the data collected? Some dumps contained so much bad data that I had to limit how much of it I included. Since the top 100 passwords have been very consistent over the last 20 years, I was able to use that to determine the quality of the source data. The size of the samples from each site were determined by the data itself. (see this article for problems with password data) I wanted to mix data from multiple sources to normalize inconsistencies and skewed data due to the type of web site, it’s users, and it’s security policies. The passwords were compiled by taking samples from thousands of password dumps, mostly from the last five years although it also includes much older data. You should still be able to find a large number of these passwords via a Google search. I have not included passwords that required cracking, payment, exclusive forum access, or anything else not available to the general public. They all are or were at one time completely available to anyone in an uncracked format. These are old passwords that have already been released to the public none of these passwords are new leaks. In response to my recent release of 10 million passwords, I thought I would address some of the questions I am getting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
February 2023
Categories |