Why Did a Security Guru Publish 10 Million Passwords Online?

"Geez people, it wasn't a password leak." That exasperated tweet was sent out Tuesday by IT security analyst and author Mark Burnett, who sparked an uproar on the Internet a day earlier by posting a publicly-accessible database of 10 million passwords.

In an accompanying blog post, Burnett explained his motivation. "[F]or quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security," he said. "So I built a data set of ten million usernames and passwords that I am releasing to the public domain."

We reached out to Burnett for his reaction to the coverage. "I certainly expected some attention, especially within the security community, but hadn't expected it to spread to the mainstream press as much as it did," he told us.

A Risky Move?

Part of the reaction stems from the fact that there is considerable public and law enforcement concern these days regarding the misuse of passwords. As Burnett himself clearly recognized, releasing usernames and passwords, even for pure research, does raise the possibility of serious legal consequences. In fact a good-size chunk of his blog post addresses the question: "Why the FBI Shouldn't Arrest Me."

In particular, Burnett pointed out that he did not release his database with any intent to defraud (a key requirement of existing data protection statutes). He said that he took a variety of steps to minimize the likelihood that any of the data could be used to impersonate someone or gain access to an individual's private information.

Burnett also noted that he compiled his database from large and already publicly-accessible plaintext data dumps of passwords. As a result, "to the best of my knowledge these passwords are no longer valid and I...

Comments are closed.