For folks asking about 8.4B record “RockYou2021” password list that’s in the news today, this is an aggregation of multiple other lists. For example, this password cracking list: crackstation.net/crackstation-w…

Among other things, it contains “every word in the Wikipedia databases” and words from the Project Gutenberg free ebook collection: gutenberg.org

Unlike the original 2009 RockYou data breach and consequent word list, these are not “pwned passwords”; it’s not a list of real world passwords compromised in data breaches, it’s just a list of words and the vast majority have *never* been passwords

Just do the maths: about 4.7B people use the internet. They reuse passwords like crazy not just across the services each individual uses, but different people use the same passwords. Then, only a small portion of all the services out there have been breached.

Continuing the maths, the increasing prevalence of stronger password hashing algorithms in data breaches make it harder to extract plain text passwords for use in lists like this so the real number of exposed and *usable* passwords declines again

So, are there 8.4B passwords out there *in total*, let alone breached, cracked and in a single list? No, not by a long shot.

This list is about 14 times larger than what’s in Pwned Passwords because the vast, vast majority of it isn’t passwords. Word lists used for cracking passwords, sure, but not real world passwords so they won’t be going into @haveibeenpwned

Still really surprised this has made headlines and been shared to the extent it has, it’s like people don’t read stories before sharing them…

Tempted to add a 1 to the end of each “password”, join it back to the original list and ship it to the media as 16.8B passwords!