Blog

Wordlists in Cybersecurity: RockYou 2024 Includes 10 Billion Stolen Passwords

Contact Us

The role of wordlists in cybersecurity is fundamental to many cyberattack techniques. Most commonly they are used to brute-force passwords and to enumerate directory structure looking for sensitive information or vulnerable files. In July 2024 a new wordlist was published that included over 10 billion passwords that have been used by the victims of data theft.  RockYou2024 is the newest edition of perhaps the most famous wordlist of all time: Rockyou.txt. 

This article delves into the importance of wordlists, examining their applications in various cyber attacks and security assessments. We also explore the history and impact of the RockYou2024 wordlist, a massive compilation of nearly 10 billion passwords leaked online, following the legacy of the original RockYou.txt breach from 2009.

A Primer on Cybersecurity Wordlists: What Are Wordlists?

Wordlists are essential tools in cybersecurity, used by both hackers and ethical hackers for penetration testing and security testing. They are essentially just text files containing a large collection of words, phrases, passwords, or other data - one per line.  Wordlists are used by hackers and cybersecurity professionals to carry out password cracking attacks and for other purposes such as enumeration attacks where hackers look for exposed files that could contain sensitive information. 

Here are some tools that use wordlists and how they are used: 

  • OWASP ZAP (Zed Attack Proxy): ZAP is an open-source web application security scanner for auditing web application security. It includes automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. ZAP uses wordlists for various types of attacks, including fuzzing and brute force attacks on web forms and authentication mechanisms.

  • John The Ripper (JTR): JTR is a fast password cracker, primarily used to detect weak Unix passwords and includes hash and cipher algorithms used by various password storage systems. John the Ripper uses wordlists to perform dictionary attacks on password hashes to find weak or common passwords.

  • DirBuster: DirBuster is a multi-threaded Java application designed to brute force directories and filenames on web/application servers. This process helps identify exposed files that could be a security risk such as .git folder with sensitive information or other configuration files such as .htaccess files and many more. DirBuster uses wordlists that contain common filenames and directory paths and scans for them one at a time looking for exposed information or security weaknesses.

  • Hydra: Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. Hydra uses wordlists for brute force attacks on various protocols including FTP, HTTP, SMTP, and many more.

  • Aircrack-ng: A suite of tools to assess WiFi network security. It focuses on different areas of WiFi security, including monitoring, attacking, testing, and cracking.  Aircrack-ng uses wordlists to perform dictionary attacks on WPA and WPA2 passwords to gain access to wireless networks.

  • Burp Suite: An integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp Suite uses wordlists for various tasks, including intruder attacks, to brute force login forms, and fuzzing to find hidden inputs and vulnerabilities.

  • Metasploit Framework: An open-source framework for developing, testing, and executing exploits against a variety of targets. It is a crucial tool for penetration testing and security research. Metasploit uses wordlists for password cracking, brute force attacks, and other exploit techniques that require guessing inputs.

What's in a Wordlist?

Wordlists are essential tools in cybersecurity, primarily used for password cracking and penetration testing. They consist of various types of data, ranging from common passwords to customized lists tailored for specific targets.

  • Common Passwords: Lists of frequently used passwords compiled from multiple data breaches. These can be used in brute-force attacks, to build rainbow tables, and in conjunction with algorithms to conduct more advanced password brute-force enumeration techniques. 

  • Dictionary Words: Words from dictionaries of various languages, often used in dictionary attacks to guess passwords based on real words.

  • Personal Information: Lists that include names, birthdays, and other personal data that might be used as passwords.

  • Leaked Credentials: Username and password pairs leaked from previous data breaches, useful for credential stuffing attacks.

  • Passphrases: Combinations of words or phrases that might be used in more complex passwords.

  • Customized Lists: Wordlists tailored for specific targets, containing information relevant to the target's environment, such as local language, cultural references, or industry-specific terms. Some even lists of things such as every known city, sports team, or musician in the world since some people tend to use these names in their passwords.

How Do Hackers Use Wordlists?

Hackers use cybersecurity wordlists in various types of attacks to compromise accounts and systems. The most common methods include:

  • Brute-Force Attacks: By systematically trying every word in a wordlist as a password, hackers can gain access to accounts if the correct password is in the list.

  • Dictionary Attacks: Similar to brute-force attacks, dictionary attacks involve using wordlists that contain commonly used words and passwords, significantly reducing the number of attempts needed compared to trying all possible combinations.

  • Credential Stuffing: Hackers use wordlists containing username and password pairs from previous breaches to try to log in to other accounts, banking on the likelihood that people reuse passwords across different sites.

  • Building Rainbow Tables: Wordlists are used to generate rainbow tables, which are precomputed tables used to reverse cryptographic hash functions, making it easier to crack hashed passwords.

  • Directory and File Enumeration in Reconnaissance and Penetration Testing: During reconnaissance and penetration testing, wordlists are employed to guess directory and filenames on web servers, aiding in the discovery of hidden resources and potential vulnerabilities.

A Review Of RockYou2024: A 10 Billion Password Cybersecurity Wordlist

The RockYou2024 wordlist was dumped on a cyber-underground forum on July 4, 2024. Nearly 10 billion unique plaintext passwords (9,948,575,739) were leaked making it the largest password compilation to be publicly leaked to date. This led to the compilation of RockYou2024 from a variety of older and more recent breaches. The list is called RockYou2024 due to its release date and its filename, rockyou.txt.

Analysis revealed that the passwords originated from a combination of both old and recent data breaches. The list increases the risk of offline password cracking attacks and credential stuffing attacks, meaning that threat actors can use these disclosed credentials to gain unauthorized access to various accounts across different platforms.

The History of the RockYou Wordlist 

The Rockyou.txt wordlist has a notable history in the world of cybersecurity and password cracking. Its original version is included in SecLists, a popular open source repository that contains various kinds of wordlists and other security information. Rockyou.txt originates from a 2009 data breach, involving RockYou, a company that developed widgets and social games for social networking sites. The compromised data included plain text passwords, as the victim had been storing passwords without encryption. The RockYou user's passwords were leaked online after the attack in a single text file named rockyou.txt

The Rockyou.txt wordlist has since become a popular resource for security researchers and penetration testers. It provided a comprehensive dataset for developing and testing password cracking tools and strategies.

Conclusion

Wordlists are essential tools in cybersecurity, primarily used for password cracking and penetration testing. They consist of various types of data, ranging from common passwords to customized lists tailored for specific targets. The Rockyou.txt wordlist, which emerged from a major data breach in 2009 contains stolen passwords and is commonly used by security professionals and hackers alike to brute-force passwords.

A new updated version, RockYou2024, was released in July 2024 and represents one of the largest compilations, containing nearly 10 billion passwords from various breaches.

Featured Posts

See All

August 15 - Blog

Packetlabs at Info-Tech LIVE 2024

It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.

August 01 - Blog

A Deep Dive Into Privilege Escalation

This article will delve into the most common techniques attackers use to transition from their initial breach to achieving their end goals: Privilege Escalation.

July 31 - Blog

What Is Attack Attribution?

Did you know? Attack attribution supports cybersecurity by providing contextual awareness for building an effective and efficient cybersecurity program. Learn more in today's blog.