When will people take their passwords seriously? Researcher leaks 10 million login details to highlight how people STILL make bad choices

  • Mark Burnett claims his move to release data is for research purposes so experts can find more links between usernames and passwords
  • Data is usually stripped of this connection in exposed hack attempts
  • Mr Burnett removed details that could be used by cyber criminals
  • But he still fears legal action and being raided by the FBI, a blog post says

A security expert has published 10 million passwords and their corresponding usernames to shed light on how people pick their pins.

Mark Burnett claims his move is for research purposes but admitted he is concerned that it may incur the wrath of the FBI.

The passwords exposed were stripped of certain details, however, which Burnett says stops criminals gaining access to any accounts.

A security expert has published 10 million passwords and their corresponding usernames to shed light on how people pick their pins. Mark Burnett claims his move is for research purposes and is worried that it may incur the wrath of the FBI

A security expert has published 10 million passwords and their corresponding usernames to shed light on how people pick their pins. Mark Burnett claims his move is for research purposes and is worried that it may incur the wrath of the FBI

Mr Burnett said in a blog post that his decision to publish the data in full on Monday evening - which was gathered from a thousands of global incidents over the last five years, instead of a specific hack - was so experts can better understand how people pick their passwords.

For example, the data could be used to work out how often people include their usernames within their passwords, Ars Technica reported.

‘Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone,’ he wrote. 

Mr Burnett said that his decision to publish the data in full on Monday evening, was so experts can understand how people pick their passwords. He stripped out necessary data to stop it criminal hackers (illustrated) using the passwords for unscrupulous means

Mr Burnett said that his decision to publish the data in full on Monday evening, was so experts can understand how people pick their passwords. He stripped out necessary data to stop it criminal hackers (illustrated) using the passwords for unscrupulous means

HOW TO CHOOSE A PASSWORD

Avoid favourite sports. ‘Baseball’ and ‘football’ were both in the top 10 worst password list.

Birthdays and years of birth are easy to guess with the help of personal information.

Common names such as Michael and Jennifer are insecure, with many making SplashData’s Top 50 list, too.

Experts suggest using eight mixed types of characters, with seemingly random combinations if possible.

They say that passphrases – short words with spaces or other characters separating them – are easy to recall and are relatively secure if seemingly random words are used.

Experts also advise having different passwords for different sites, instead of relying on one, which if hacked, could prove particularly serious.

He said he is concerned that the publication of the data may get him in legal trouble, however.

‘Recent events have made me question the prudence of releasing this information, even for research purposes,’ he said, citing the example of the prosecution of Anonymous activist Barrett Brown. 

'The FBI took advantage of him linking to a data dump to initiate charges of identity theft and trafficking of authentication features,' according to Burnett.

‘I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment.

‘I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me.’

In his defence, the researcher said: ‘In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorised access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity.

‘The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorised access.’

To ensure that the logins could not be used for illegal purposes, he removed the domain portion from email addresses, mixed up data from different leaks so it could not be traced to any particular company and removed keywords such as company names or any data that could be linked to an individual.

He also removed information that could be a credit card number and any accounts suspected as belonging to government or military members.

‘Furthermore, I believe these are primarily dead passwords…and this data is largely useless for illegal purposes, Mr Burnett wrote.

Mr Burnett said: ‘The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorised access.’ A report by SplashData released in January revealed that ‘123456’ was the most popular credential last year, followed by ‘password' (illustrated)

Mr Burnett said: ‘The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorised access.’ A report by SplashData released in January revealed that ‘123456’ was the most popular credential last year, followed by ‘password' (illustrated)

This means that passwords have already been changed and that all the data is already available online.

‘…I have taken extraordinary measures to make this data ineffective in targeting particular users or organisations.’

In January, a report by SplashData revealed that ‘123456’ was the most popular credential last year, followed by ‘password.’

The most used passwords of last year were also the most insecure, causing security experts to urge users to pick less obvious login details to keep their information safe.

The remaining top five most popular passwords were ‘12345’, ‘12345678’ and ‘qwerty’ according to the firm, which develops password management software.

The company, which is based in Los Gatos, California, analysed files containing millions of stolen passwords posted online during the previous year.

WORST PASSWORDS OF 2014

1. 123456

2. password

3. 12345

4. 12345678

5. qwerty

6. 1234567890

7. 1234

8. baseball

9. dragon

10. football

11. 1234567

12. monkey

13. letmein 

14. abc123

15. 111111

16. mustang

17. access

18. shadow

19. master

20. michael

21. superman

22. 696969

23. 123123

24. batman

25. trustno1

As well as lazy number and letter combinations that can be entered with a swipe of the thumb, it also noticed ‘easily guessable’ passwords such as 'letmein,' ‘football’ and ‘batman’ were included in its top 25 worst pins.

New additions to the top 25 include: 'baseball', 'dragon', 'football', 'mustang', 'access', 'master', 'michael', 'superman', '696969' and 'batman'.

Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands, and film names.

The firm has advised anyone using any of these top 25 words to change their password to something more secure immediately, because common passwords are easiest for cybercriminals to guess. 

The comments below have not been moderated.

The views expressed in the contents above are those of our users and do not necessarily reflect the views of MailOnline.

By posting your comment you agree to our house rules.

Who is this week's top commenter? Find out now