Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Troy Hunt Profile picture
@troyhunt
Jun 8, 2021 8 tweets 2 min read Read on X
Scrolly
For folks asking about 8.4B record “RockYou2021” password list that’s in the news today, this is an aggregation of multiple other lists. For example, this password cracking list: crackstation.net/crackstation-w…
Among other things, it contains “every word in the Wikipedia databases” and words from the Project Gutenberg free ebook collection: gutenberg.org
Unlike the original 2009 RockYou data breach and consequent word list, these are not “pwned passwords”; it’s not a list of real world passwords compromised in data breaches, it’s just a list of words and the vast majority have *never* been passwords
Just do the maths: about 4.7B people use the internet. They reuse passwords like crazy not just across the services each individual uses, but different people use the same passwords. Then, only a small portion of all the services out there have been breached.
Continuing the maths, the increasing prevalence of stronger password hashing algorithms in data breaches make it harder to extract plain text passwords for use in lists like this so the real number of exposed and *usable* passwords declines again
So, are there 8.4B passwords out there *in total*, let alone breached, cracked and in a single list? No, not by a long shot.
This list is about 14 times larger than what’s in Pwned Passwords because the vast, vast majority of it isn’t passwords. Word lists used for cracking passwords, sure, but not real world passwords so they won’t be going into @haveibeenpwned
Still really surprised this has made headlines and been shared to the extent it has, it’s like people don’t read stories before sharing them…

Tempted to add a 1 to the end of each “password”, join it back to the original list and ship it to the media as 16.8B passwords!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Troy Hunt

Troy Hunt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @troyhunt

Troy Hunt Profile picture
Jan 22
I’m seeing a lot of commentary to this effect about the under 16 social media ban in the UK. Given we’ve just gone through this in Australia, let’s look at how that’s done in a way the DOESN’T require everyone to provide ID:
Firstly, our eSafety commissioner is very clear:

“eSafety does not expect a platform to make every account holder go through an age check process if it has other accurate data indicating the user is 16 or older.”

esafety.gov.au/about-us/indus…
I don’t know of a single adult who has had to “prove their age by uploading an ID (passport/drivers licence) and biometric data”. I also don’t know of a single one who has had to prove their age at all.
Read 8 tweets
Troy Hunt Profile picture
Nov 26, 2025
Watching the dismay on my 13 year old daughter’s face as the final 2 weeks of social media access tick down to Dec 10. It’ll be 2028 before she can use Snapchat (and others again). What’s everyone think about this? esafety.gov.au/about-us/indus…Image
This got a lot of traction, it’s like the Twitter of old! So, let me clarify a few things as a parent, cybersecurity guy and industry commentator:
Firstly, recognise that parental decisions around how you raise children is very personal. Diet. Exercise. Religion. Study. Family. And, how they use social media, messaging and devices in general. There are wide-ranging views on all these, obviously.
Read 16 tweets
Troy Hunt Profile picture
Jul 17, 2025
Rack upgrade day! Some new @Ubiquiti goodness to consolidate things, pics and details coming… Image
Image
Image
Alright, let’s jump into this and full disclosure: @Ubiquiti has sent me all the bits you’ll see to play with. That’s after I spent a bunch of my hard-earned cash buying their gear and writing about it 9 years ago now, I’ve just been a fan ever since: troyhunt.com/ubiquiti-all-t…
@Ubiquiti What we’ve got here is new 48 port Pro XG switch with 10 GbE, PoE+++ and etherlighting (more on that soon). That’ll replace both the older 24 port USW Pro Max (which was to play with etherlighting) and 48 port USW Pro (because I needed more ports), so I’ll reclaim an RU. Image
Image
Read 12 tweets
Troy Hunt Profile picture
Mar 13, 2025
Working with @Cloudflare pages is so cool, check out this workflow:
We have an open source repo for @haveibeenpwned's ux-rebuild which is here: github.com/HaveIBeenPwned/
Our front end oompa loompa just submitted a PR in the "privacy-page" branch: github.com/HaveIBeenPwned…
Read 7 tweets
Troy Hunt Profile picture
Jan 2, 2025
The Pornhub story regarding age verification shows just how hard privacy-preserving identifying verification is. Even when everyone agrees on the sentiment (nobody is saying kids should have access to porn), there’s no consensus on the execution. 404media.co/pornhub-is-now…Image
Image
It took me a few seconds to VPN into Texas and capture these screens. It takes someone in Texas a few seconds to VPN into California and *not* see these screens! It costs a few bucks a month for a good VPN with loads of exit nodes around the world, placing you where you want.
I suspect that factored into Pornhub’s decision - the knowledge that they can satisfy a state law whilst not posing any real barrier to paying customers. If someone is willing to pay for porn, surely they’re willing to pay a lot less for a VPN to access it?
Read 7 tweets
Troy Hunt Profile picture
Oct 25, 2024
Was confused whilst doing my live stream just now why there was a sudden spike in DB usage on @haveibeenpwned. Turns out it was related to *dropping* this constraint:
ALTER TABLE [dbo].[Domain] ADD CONSTRAINT [CHK_DomainName_Pattern] CHECK (([dbo].[IsDomainValid]([DomainName])=(1)))
We'd decided a constraint that calls a function on every insert of a new domain was unnecessary; all it did was validate that the string adhered to the correct pattern, but because we controlled the upstream code, we could do that before it even hit the DB.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(