A Security Expert Just Published 10 Million Passwords And Usernames

Here’s what you can do to keep yours from making any future lists

Password Please

Screenshot

Yesterday, security consultant Mark Burnett released 10 million passwords and corresponding usernames in a data set he made using existing information. And he promises it's for the greater good.

Burnett says he had to write a blog post explaining why he divulged this information, i.e. to prevent the FBI coming after him. In his defense, he wrote, "The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access." Burnett says he wanted to make the information accessible for academic and research pursuits.

In case your next move is to frantically check if your username is on the list, keep in mind most are probably obsolete, so don't worry (too much). Plus, he went to great lengths to remove the domain name for email addresses, ensuring the information couldn't be illicitly used. But Burnett also notes in the post that, even if your username and password aren't on the list, it doesn't mean it's secure. He suggests checking Google, haveibeenpwned.com, or pwndlist.com to make sure you're in the clear.

Popular Science spoke to Burnett about the worst possible passwords for our upcoming March issue. Here's what he had to say about good and bad passwords:

To improve account security, Burnett says to use at least 10 characters and avoid common phrases. But even that may not offer much protection. “The capability of cracking passwords has gotten so great. We have things to make them stronger, like two-factor authentication, but on their own, passwords are kind of at the end of their effectiveness.”

Until the password itself becomes obsolete and we can use biometric identification, for example, we strongly recommend the above (especially using two-step or two-factor login technologies), and to use a unique password for every service.