As more and more components of our daily life move from the real world to the internet, the value of security cannot be overstated. Each new innovation we embrace — from Zoom to TikTok to the latest video game system — comes with a username and password that joins the ranks of our dozens of other usernames and passwords, and odds are, each individual login in a person’s deck of passwords probably resembles the others in at least some shape or form. It’s not necessarily a bad thing (if your password is secure, that is) — after all, common variations on the same password is how people remember their login info.
But, if just one of those passwords were to leak, it’s possible that every single one of a person’s passwords could be compromised as a result. Imagine the threat a leak of 8.5 billion passwords would pose. It’s our current reality, and you might not have even heard of it. Hackers called it RockYou2021, and the few who reported on it treated it like a game-changing security threat the likes of which we’ve never seen before. Is this an overreaction? Was RockYou2021 really that bad if none of us even heard about it? Let’s separate the truth from the fiction.
RockYou2021: What Happened?
When news of RockYou2021 first broke at the start of June, 2021, it was immediately dubbed “the largest password leak in the history of the internet,” far surpassing the earlier RockYou leak of 2009 that included over 32 million passwords. Originally, RockYou2021 was said to include 82 billion passwords — in reality, the number is about 1/10th of that: 8.459 billion passwords. To be clear, at over 250 times the size of RockYou2009, this is still a remarkable number of passwords to be leaked.
RockYou2021 was posted as a 100 GB text file on a very popular (unnamed) online forum for hackers. Each of the nearly 8.5 billion passwords is between 6 and 20 characters long, with all white spaces and non-ASCII characters removed from the text. Large collections like these allow for hackers and cybercriminals to do what’s known as “password spraying,” which involves trying a great many number of usernames and passwords in a very short amount of time in order to gain access to an account.
How RockYou2021 Compares to Password Leaks of the Past
Some of the biggest password leaks of the past include the aforementioned RockYou data breach of 2009, the Compilation of Many Breaches (COMB) of February 2021, and Breach Compilation of 2017. Passwords in the billions were leaked in each of these breaches combined, but they all share one thing in common (RockYou2021 included): They’re actually a collection of countless smaller leaks put into one large document.
With this, RockYou2021 is simply an enormous compilation of other leaks, COMB included — this February breach alone accounts for over 3 billion of RockYou2021’s 8.5 billion passwords. This doesn’t make it any less of a potential threat, but it definitely helps bring some context to the sheer size of these leaks: As it turns out, many of these enormous password breaches are simply reusing past information and including it in newly-named leaks in an attempt to fluff them up and make them seem more menacing. It’s all about optics, and a claim like “8.5 billion passwords” is destined to generate buzz, even if nearly half or more of those 8.5 billion have already been leaked in the past.
What the Leak Actually Consists Of
We know that this leak is comprised of many leaks of the past, but what about the other billions of passwords? Where did they come from? As it turns out, after some thorough investigating, the bulk of RockYou2021 is actually just a collection of many different cracking dictionaries. These cracking dictionaries consist of commonly used and easy-to-guess passwords that are used in password spraying attacks. To be clear, these aren’t necessarily passwords tied to anyone specific, but rather passwords that are commonly used by many different accounts.
This means that, ultimately, RockYou2021 is actually nothing new: It’s repackaged leaks of the past and cracking dictionaries under a new name in an attempt to look more threatening than it actually is. These aren’t 8.5 billion passwords taken from individuals by skilled hackers like thieves in the night, but rather a compilation of the work of other hackers and cybercriminals of the past. If it were a movie, it’d be an extended edition re-release chock full of deleted scenes.
How to Keep Your Passwords From Leaking
This isn’t to say that RockYou2021 shouldn’t be taken seriously, especially if one of your simple passwords is included in the text file. Thankfully, your best line of defense is also the simplest one: Change your password so that it’s impenetrable. Cracking dictionaries and the like depend on basic, easy-to-guess passwords like “Summer2021!” or “Password123!” in order for cybercriminals to gain access to any and all accounts they can get their hands on.
If your password is a complex and impossible-to-guess combination of letters, numbers, and symbols — like the passwords provided and stored securely by a password manager — then you probably won’t have to worry about being compromised anytime soon. Your first line of defense against hackers and cybercriminals is also the best line of defense: Change your password often, keep it complex, and store it securely in your preferred password manager.
