Recently, a hacker circulated a database, RockYou2024, claiming to contain nearly 10 billion passwords from previous data breaches. However, analysis reveals the archive is largely useless.
Security researcher Ata Hakcil from WizCase examined the 150GB archive, finding that many entries are over 20 characters long or consist of random brand names and terms, indicating the database includes irrelevant internet text rather than actual passwords. Filtering the database to typical password lengths (6-12 characters) reduces the entries from 9.9 billion to 5.9 billion.
Specops Software’s analysis concurs, stating the dataset is “mostly garbage data,” with many entries being random characters or lengthy texts in various languages. They assert that the database is not a useful wordlist for attacks.
Security researcher Royce Williams estimates only 190 million entries might be new and useful, advising pentesters to skip RockYou2024. Troy Hunt, an expert in cataloging password leaks, cautions against trusting archives claiming billions of passwords, as they often compile text strings from varied sources.
The hacker “ObamaCare,” who compiled RockYou2024, has since deleted their original post. Overall, experts agree there’s no need to panic over this data leak.
