When people hear their password has leaked, they picture a one-off accident: some service had a bad day, it made the news, you changed the password, done. It isn’t done. The day of the breach isn’t the end of anything: it’s day one of an assembly line that will run for years, and in which you will never once appear by name. The whole thing is worth telling, because almost nobody sees it.
Step one: somebody pulls the database
The opening move is nothing to look at. Somebody finds an SQL injection, an exposed backup, an admin panel still on the default credentials. And walks off with a table.
That table, if you’re lucky, holds your email and a hash of your password. If you’re less lucky, it holds your email and your password. In plain text. Exactly as you typed it.
2009 thirty-two million passwords in plain text
In December 2009, a social-widget company called RockYou took an SQL injection. Roughly 32 million passwords walked out the door, and there was no hash to break: it stored them in plain text.
A catastrophe for RockYou and a gift to everyone else. For the first time there existed a huge corpus of real passwords, written by people who had no idea anyone would ever read them. Not a study of the thing: the thing itself.
The file became rockyou.txt, still the reference wordlist attacks are tested
with. Its value isn’t that it contains your password: it’s that it contains how
people write passwords. A name and a year, the word and the 123, the ! on
the end. RockYou didn’t leak 32 million secrets. It leaked the pattern. And the
pattern doesn’t expire.
Step two: whatever can be cracked gets cracked, and nobody’s in a hurry
This is where intuition breaks. When somebody tries to guess your password at a service’s login screen, the service cuts them off: three tries, a CAPTCHA, a lockout. Against a server, guessing is slow and loud.
Against a file of hashes already sitting on your own disk there is no server. There’s nobody on the other end to say no. You run it locally, on GPUs, with no attempt limit and all the time in the world. If the service hashed badly — fast algorithm, no salt — the gap between that and plain text is one of convenience, not security.
And nobody guesses at random: rockyou.txt first, then rules derived from it.
Swap the a for @. Stick a year on the end. Every trick that struck you as
clever has been sitting in a config file for over a decade.
Out of that comes a share of the dump turned into readable passwords. The rest — the long, the random, the stuff that’s in no wordlist — stays noise. That’s the line the checker draws: it doesn’t scold you, it tells you which side you land on.
Step three: it gets merged, and that’s where you’re worth money
A lone dump isn’t worth much. The value is in aggregation: take ten breaches
from different sites, join them on the email address and keep the
email:password pairs that are already in the clear. The result is called a
combolist, and it isn’t anyone’s database any more. It’s a list of people.
2013 the inventory goes public
In December 2013, Troy Hunt launched Have I Been Pwned: a public database of email addresses that turned up in breaches, so anyone could ask whether they were in one. The reasoning behind it is simple and uncomfortable: if the attackers already have the inventory, keeping it from the victims protects nobody. Pwned Passwords came years later, doing the same for passwords and letting you look them up without sending them: you send a fragment of the hash and the server hands back a batch of candidates, never learning which one was yours.
2017 NIST stops asking for symbols and starts asking for lists
When NIST published SP 800-63B, it threw out nearly all the received wisdom of the signup form and put in its place a requirement few saw coming: when a password is set, the system must check it against a list of known compromised values and reject it if it shows up.
That’s a change of theory, not of detail. The question is no longer whether your password looks strong, but whether it’s already published. Which is why the generator does the only sensible thing: pull it out of somewhere it has never been.
2019 the breach that was already a rehash of other breaches
In January 2019 a package went around that became famous as Collection #1. Hunt took it apart and counted what was inside: some 773 million unique email addresses and around 21 million unique passwords in plain text, aggregated from thousands of sources.
The size wasn’t the point. Where it came from was: much of it was leftovers from earlier breaches, already cracked and repackaged into a convenient format — though Hunt also found material he hadn’t previously catalogued. The product wasn’t the intrusion. It was the inventory. And an inventory like that has exactly one use.
Credential stuffing: nobody is attacking you
Nobody is attacking you. That’s the part that’s hard to take on board.
Nobody sits down and thinks about your account. Somebody takes a combolist of hundreds of millions of lines, feeds it into a tool that tries them against the login form of a bank or a mail provider, spreads the attempts across many IP addresses so the lockouts don’t trip, and waits. The overwhelming majority fail. Doesn’t matter: they cost next to nothing.
That’s credential stuffing, and it isn’t guessing. It’s checking. They already have the password; the only thing they’re finding out is where else you put it.
Your password on that forum wasn’t important. Neither was the forum. What matters is that the same string of characters opens your email, and your email opens everything else via “forgot my password.” The original sin isn’t that it was weak: it’s that it was the same one. A thirty-character password, random and perfect, reused across two sites, is exactly as good as the worse of the two. And you don’t control how the worse of the two hashes it.
What follows from all this
- Changing the leaked password isn’t enough if you repeated it. The urgent site isn’t the one in the headlines. It’s the others.
- One password per site, and you shouldn’t mind forgetting it. If you can remember all your passwords, you have very few or they’re very bad.
- A second factor breaks the chain. Credential stuffing tries
email:password. If that isn’t enough to get in, the inventory stops being worth anything.
Your leaked password isn’t in the hands of an enemy. It’s a row in a file, among hundreds of millions of others, waiting for somebody to decide it’s worth trying on one more site. And the only thing that decides whether that works, you decided years ago, the second time you typed the same word.
Sources: the RockYou breach (December 2009) and the later use of rockyou.txt as
an attack wordlist · Have I Been Pwned and Pwned Passwords, by Troy Hunt · NIST SP
800-63B, on checking passwords against lists of compromised values · Troy Hunt’s
analysis of Collection #1 (January 2019) and the figures he published · OWASP’s
definition of credential stuffing.