RockYou2021

Demystifying RockYou2021

Unless you’ve been living under a rock, you’ve probably heard of the RockYou2021 breached password list. Many articles have been published about this incident and password lists associated with it. However, some reported information is misleading or downright wrong.

Let’s dive into what the RockYou2021 list means for you and organizations worldwide.

What is RockYou2021?

For a quick recap, RockYou2021 was the recent leak of over 8 billion passwords in a 100GB text file to an online forum. The passwords contained in these lists are all 6-20 characters in length, with whitespaces removed. Many were previously exposed in other breaches, such as the 3.2 billion passwords in the Combination of Many Breaches (COMB) from early 2021.

Was the Colonial Pipeline hack a result of RockYou2021?

No. Despite the timing of the news, there is little, if any, evidence to suggest that the Colonial Pipeline ransomware attack was a direct result of RockYou2021. 

It is true that the password used to breach Colonial Pipeline was on the RockYou2021 password list. But it is important to note that RockYou2021 is not a unique list. It is a compilation of various lists, better known as Cracking Dictionaries.

What are Cracking Dictionaries?

Cracking Dictionaries are lists of expected passwords, or as NIST puts it, commonly used or easy-to-guess passwords. These lists are used to quickly reverse hashed passwords to clear text or perform password guessing attacks. 

Cracking Dictionaries can also include dictionary words like “Summer,” common passwords like “Summer2021,” iterations of common passwords such as “!Summer2021!,” and exposed passwords. Additionally, these dictionaries contain previously hashed passwords cracked because they were stored in a weak password hashing algorithm.

Guessing someone’s password from a dumped set of hashes is not exactly easy; but, it can be done. That is the reason why lists of passwords like RockYou2021 exist. These dumps do not serve as a list of actual passwords but rather as a list of possible guesses to feed into tools that threat actors use to try and guess some of these hashes. 

What next?

When any breach list pops up, you should check to see if the password you used is a part of it. You can use a free service, like check.enzoic.com, which allows you to check against Enzoic’s billions of leaked credentials and passwords to see if your password is compromised. 

You can also run a free password audit of your AD environment to see if any of your users are using a known compromised password. While these password audits give you a quick snapshot of your users, they don’t tackle the most critical part of password security: always be staying proactive. 

Tools like Enzoic for Active Directory utilize our daily updated database to perform real-time password checks. These will identify compromised passwords and continuously monitor to provide automated remediation if a password appears in a breached list like RockYou2021. 

Cracking Dictionaries, actual passwords, and credentials are leaked and traded by threat actors every day. Having the right toolset to protect against this threat is vital. Lists like these will always exist, but you can eliminate risk by ensuring weak and vulnerable passwords are never in Active Directory.