Skip to main content

Plaintext Passwords Exposed

In 2009 a website called RockYou was breached via a SQL injection vulnerability. From this attack, 32 million plaintext passwords were exposed and aggregated into a password list. This list has become a household name in cybersecurity, a staple in any security practitioner’s toolbox especially within the realm of hash cracking. Over the years, it has been expanded with more known cleartext passwords being added to it to the tune of over 8 billion passwords as of 2021, known as RockYou2021. This large password list comes preloaded in some security focused operating systems such as Kali Linux and is primarily used to crack hashes with a user’s cracking program of choice.

RockYou2024 Password List

In early July of 2024, a user by the name of “ObamaCare” posted a once more updated version of this RockYou2024 password list on a forum. Boasting over 9.9 billion raw lines the 2024 version of this dictionary demonstrates the continued relevance of stolen user credentials, both as an attack tool and an illicit industry.

The use cases for these password lists are multi-faceted.

  • Threat actors can leverage these password lists to run dictionary attacks against existing password hashes in an attempt to discover the plaintext password. Once these plaintext passwords have been cracked, they can effectively be used to target user accounts.
  • Additionally, with the prevalence of password reuse, these passwords can be used across other accounts or used to generate variations of the password for custom dictionaries designed specifically for their target. These TTPs (tactics, techniques, and procedures) allow the actor to drastically cut down the attack time and the resources required for access, as opposed to much slower techniques like a brute force attack.
  • Finally, it can be used to facilitate password spraying attacks where password lists are programmatically used to try and attempt a login.

According to the Verizon DBIR, roughly 40% of intrusions are executed with stolen or abused credentials, as one of the most common types of data being exfiltrated is also categorized as credentials. This cycle of using the proverbial keys to the castle to steal other keys supports an unfortunately sustainable and very accessible attack vector that even the least technical attackers can leverage with great success.

One of the prime reasons for the continued viability of these techniques is due to password reuse. Meaning, regardless of whether a specific organization itself has breached, if users have used the same credentials across multiple platforms, all of those accounts are now vulnerable to compromise.

The best strategies to combat this abuse are simple. It is paramount to set in place strong password policies that require strong passwords that are hard to crack. Monitoring and scanning existing passwords to detect if they have become compromised, and enforcing MFA rules are also critical.

The usefulness of any dataset is dictated by its ease of use. The RockYou2024 file is in its most raw form. We plan on spending some time analyzing it after all the data is ingested. Stay tuned.



Amos Struthers

Amos is a member of the threat research team, dedicated to identifying and cultivating sources and actionable intelligence for Enzoic products. He enjoys learning about new attack vectors, exploits, and vulnerabilities, as well as those threat actors who are utilizing them in the wild. When not at work, Amos loves spending time with his family, cooking, lifting weights, and competing in various shooting sports.