In 2009 a website called RockYou was breached via a SQL injection vulnerability. From this attack, 32 million plaintext passwords were exposed and aggregated into a password list. This list has become a household name in cybersecurity, a staple in any security practitioner’s toolbox especially within the realm of hash cracking. Over the years, it has been expanded with more known cleartext passwords being added to it to the tune of over 8 billion passwords as of 2021, known as RockYou2021. This large password list comes preloaded in some security focused operating systems such as Kali Linux and is primarily used to crack hashes with a user’s cracking program of choice.
In early July of 2024, a user by the name of “ObamaCare” posted a once more updated version of this RockYou2024 password list on a forum. Boasting over 9.9 billion raw lines the 2024 version of this dictionary demonstrates the continued relevance of stolen user credentials, both as an attack tool and an illicit industry.
The use cases for these password lists are multi-faceted.
According to the Verizon DBIR, roughly 40% of intrusions are executed with stolen or abused credentials, as one of the most common types of data being exfiltrated is also categorized as credentials. This cycle of using the proverbial keys to the castle to steal other keys supports an unfortunately sustainable and very accessible attack vector that even the least technical attackers can leverage with great success.
One of the prime reasons for the continued viability of these techniques is due to password reuse. Meaning, regardless of whether a specific organization itself has breached, if users have used the same credentials across multiple platforms, all of those accounts are now vulnerable to compromise.
The best strategies to combat this abuse are simple. It is paramount to set in place strong password policies that require strong passwords that are hard to crack. Monitoring and scanning existing passwords to detect if they have become compromised, and enforcing MFA rules are also critical.
The usefulness of any dataset is dictated by its ease of use. The RockYou2024 file is in its most raw form. We plan on spending some time analyzing it after all the data is ingested. Stay tuned.
AUTHOR
Amos Struthers
Amos is a member of the threat research team, dedicated to identifying and cultivating sources and actionable intelligence for Enzoic products. He enjoys learning about new attack vectors, exploits, and vulnerabilities, as well as those threat actors who are utilizing them in the wild. When not at work, Amos loves spending time with his family, cooking, lifting weights, and competing in various shooting sports.
Explore free for up to 20 users. Save hours of admin time and simply get started with a password monitoring solution.