What is the news?
A security researcher has released 10 million usernames and passwords in public domain. Mark Burnett has collected this data from various data breaches for his research purpose over the past ten years. He has also written an entire article justifying the release and fearing the prosecution as a consequence of this release.
“THIS IS COMPLETELY ABSURD THAT I HAVE TO WRITE AN ENTIRE ARTICLE JUSTIFYING THE RELEASE OF THIS DATA OUT OF FEAR OF PROSECUTION.”
These 10 million usernames and passwords were already available on the internet and he has created a collective database of these leaked records. Mark Burnett is a reputed security expert and he is willing to share the data for the sake of helping the security researchers.
Why is he releasing the passwords?
“Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world.
A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a dataset of ten million usernames and passwords that I am releasing to the public domain.”
Why shouldn’t FBI arrest him?
Mark says that he has released the usernames and passwords to give researchers an access to a clean and consistent data. He says:
“Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone. Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature.
If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.”
This release can definitely help other security experts and researchers to determine one basic fact that how often a user uses a part of his username in his/her password. Defying the risk of prosecution, Mark has released these 10 million passwords and defended its release.
How to check if you were exposed in the 10 million password dump?
Here is an easy way developed by the developer Luke Rehmann. This is a simple web interface to search for your credentials. It’s recommended that you only search the first four characters of a password due to security concerns.
Is Mark doing a right thing by releasing these 10 million passwords? Tell us in comments below!