For many years, the “RockYou” collection of stolen passwords compiled from data breaches has been used by security researchers, enterprise defenders, and cybercriminals alike to test the strength of user-created passwords or try to guess live account passwords through brute-force attempts. Recently, a newly updated version of the list, called RockYou2021 was compiled with 8.4 billion passwords and made available through underground forums. A link to download the new list briefly appeared on RaidForums however the post has since been removed. Earlier this year, another password list known as COMB (Compilation of Many Breaches) was released and is included in RockYou2021 adding 3.2 billion passwords to the previous RockYou list. It appears that the author has been collecting breached passwords over time and researchers with access are working to identify any new leaks that might be present.
News like the release of RockYou2021 is a great reminder to check and rotate passwords, whether they appear on sites such as haveibeenpwned or similar. Defenders can make use of compiled password lists such as RockYou or COMB to check user-created passwords and ensure that no account is using a password that appears in the list that attackers could easily guess. Password sharing and simplicity is still all too common and a major threat to enterprise and personal security. There are services such as Bitwarden and 1Password to help users create and store unique and strong passwords. Wired has put out a great article detailing some of the best password manager options in 2021. A password with at least 12 characters and numbers, using the first letter of each word in a phrase, is a good start if opting out of the use of a password manager. However, re-using the same password across multiple sites or services is still risky regardless of the strength of the password, because a breach of one site can result in compromise of accounts across all the services.