This blog will tell you what RockYou 2024 is, how RockYou 2024.txt came to be, and what you should know about it. Dig in!
Preface
These days, it’d be hard to find a security researcher who hasn’t heard of RockYou 2024.txt. The RockYou 2024 is said to be one of the biggest password leaks in recent history: but it was here before. Yes, a form of RockYou 2024.txt did exist before – just that it was smaller.
Three Iterations of RockYou 2024.txt
Yes, the interwebs have already seen similarities to RockYou 2024.txt – back in the day, it was also shared in the form of a text file, it’s just that back then (we’re talking about 2015-2016 here), it contained slightly over 14 million passwords. When some time passed and 2021 came around, hackers built a new list with around 8.5 billion records, and this year, we’re also hearing of RockYou 2024.txt which is said to contain close to 10 billion plain-text words (read: passwords from leaked data breaches) alone.
How Did RockYou 2024.txt Come to Be?
The RockYou 2024.txt list came to be when a bunch of high-profile data breaches occurred. They most likely built it through parsing (separating) usernames or email addresses from plain-text passwords and de-duplicating those plain-text passwords to come up with a list.
It was built this way from the beginning – that’s nothing surprising. What is surprising, however, is that once RockYou 2024.txt has hit the news, there were many security researchers and companies investigating and analyzing the list, and some of them said that the password list is not useful neither as a wordlist (which is presumably it’s primary use case), nor as a list of potential passwords that can be useful to attackers when attacking potential targets. Some of them even went so far as to say that the RockYou 2024.txt list is mostly useless data, and didn’t recommend putting any energy into it.
What Does RockYou 2024.txt Contain?
BreachDirectory.com will probably have a dedicated blog post in regards to the contents of RockYou 2024.txt, but based on the available analysis, it is said that the RockYou 2024.txt wordlist is approximately 150GB in size, and it only contains around 2 billion unique records if we compare the RockYou 2024.txt list with the 2021 RockYou.txt list.
Regardless, attackers are said to have immense interest in the RockYou 2024.txt list and it’s easy to understand why: the file, give or take, contains over 9.9 billion unique plain-text passwords that can be used to break into accounts. Various sources helps arrive at the conclusion that the file contains 9,948,575,739 passwords, which can be used to break into accounts by combining the list with email addresses or usernames for credential stuffing or to crack weak password hashes like MD5 or SHA1.
The RockYou 2024.txt list is also said to come with a bunch of hashes and encoded strings, too: the list contains Base64-encoded strings, strings and words in the Russian language, and truncated hashes.
The RockYou 2024.txt list is also understandably of interest to security researchers who may run analysis on the data set to check what passwords are used the most frequently, split the records in the RockYou 2024.txt list by length or the password itself. On the other hand:
- RockYou 2024.txt contains a lot of strings in the Russian language. There are supposedly lots of extremely lengthy passwords, and people tend not to choose such passwords to begin with (with the exception of the people who use password managers.)
- There are a bunch of badly processed, truncated hashes, email addresses, scraped text, Unicode-based text, IP addresses, numeric values, and the like.
All things considered, it’s easy to see why there’s so much hype around RockYou 2024.txt: it’s a plain-text file that supposedly contains around 10 billion passwords! But, as it turns out, most of the data in the RockYou 2024 list may as well be worthless if we consider the factors described above.
However, this is not to say that credential stuffing or other attacks making use of the RockYou 2024.txt list aren’t dangerous – far from it – but basic security measures should suffice when protecting from such attacks.
Protecting Yourself From the Outcomes of RockYou 2024
To protect yourself from credential stuffing and other possible outcomes in connection to RockYou 2024.txt, it’s vital to understand a couple of key things:
- RockYou 2024 isn’t a data breach of any specific service – RockYou 2024 refers to a huge collection of plain-text passwords, but to pose a threat to your accounts and be of value to an attacker, they need to be connected to a data source (usernames or email addresses.) Combining these passwords with IP addresses or isn’t going to be useful because IP addresses aren’t something that people use to log in to services with a password. This combined with the things mentioned above (a lot of garbage data in the password list) means that the usefulness in the RockYou 2024 list may as well be minimal.
- The entire RockYou 2024 list is useless for brute-force attacks – given the fact that the RockYou 2024 list contains around 10 billion passwords, no service will allow that many requests without blocking the account in question. Of course, attackers may try to split the RockYou 2024.txt list into smaller parts and attack the service again, but doing that would necessitate a lot of parts of the same wordlist.
- If you use strong passwords and don’t re-use them, the list is worthless – the RockYou 2024 list doesn’t contain many generated passwords, presumably because the list is made out of the passwords of data breaches that were already sifted through by attackers before the inception of RockYou.
With that said, the usefulness of password managers, data breach search engines, and other appliances isn’t negated: you still can (and should) change your passwords frequently, and to know what passwords to change, you should make use of data breach search engines like BreachDirectory.
The BreachDirectory data breach search engine and the BreachDirectory API will help you protect your team from identity theft by:
- Allowing you to search through an extensive list of breached databases through its data breach search engine.
- Providing API access to leaked data breaches in a singular and bulk format (i.e. allowing you to run bulk account searches through the BreachDirectory API.)
- Letting you know once your account has been exposed in a data breach if you register for data breach notifications using the BreachDirectory data breach search engine.
The BreachDirectory data breach search engine has protected tens of millions of people and continues to do so to this day. The best part? BreachDirectory.com is free of charge – it’s the BreachDirectory API and additional features of the data breach search engine (the wildcard functionality) that cost.
In case you’re curious about how BreachDirectory and the BreachDirectory API may help your use case or have any further questions, don’t hesitate to schedule a meeting with the founder today, and until next time.
Frequently Asked Questions
What is the RockYou 2024 List and What Does It Contain?
The RockYou 2024 list contains around 9.9 billion plain-text and hashed passwords that are said to be derived from various data breaches that have made headlines.
Should I Be Worried About the Outcomes of RockYou 2024?
No – given that the RockYou 2024.txt list contains a lot of garbage and doesn’t contain any actionable data in conjunction with it (i.e. there are no usernames or email addresses), it’s pretty useless for attackers to begin with. Use password managers and sleep soundly.
Why Should I Use the BreachDirectory Search Engine and the BreachDirectory API?
Consider using the BreachDirectory data breach search engine and the BreachDirectory API to protect yourself from identity theft and credential stuffing attacks targeting re-used passwords: the data breach search engine provided by BreachDirectory will not only allow you to see whether your account is at risk of identity theft and take preventative measures if it is, but also implement the data in the data breach search engine for your specific use case through the BreachDirectory API. Schedule a meeting with the founder and discuss your use case today!