A security researcher Mark Burnett has decided to make a rather unusual move for a legitimate researcher: He publicly released a collection of 10 million combinations of a user name and a password.
Do you wonder why Mark would do such a thing? He actually has a rather good reason for doing so. “Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain,” he explains in a blog post. “[an] Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone. Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature.”
In the post, Mark details why he was hesitant to release the list, and mentioning the recent case of Barrett Brown – the reporter who was recently sentenced to 5 years in prison for simply sharing a link to an IRC channel where the Anonymous hacktivist group was sharing hacked data.
This is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution.
Indeed, the entire post is sort of a detailed elaboration on the reasons why he should not be arrested and sentenced in much the same manner as Barrett Brown or others. When compared to the charges Brown was found guilty of, Mark Burnett says that in his case, “the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.” Mark further claims that these passwords are mostly dead and do not pose any (or extremely small) danger of being misused by cybercriminals for malicious purposes.
What do you think of Mark Burnette’s actions? Do you think what he did is justified and for a good cause? Or do you think he shouldn’t have publicly released the list? Take the poll below and leave comment.