As you may already be aware, a user recently made available a compilation of passwords dubbed ROCKYOU2021 on an underground forum and has since then shared on multiple sites. At Blueliv, we have already seen a few misconceptions regarding this compilation, from news outlets and regular users alike. During this blogpost, we will try to clarify exactly what ROCKYOU2021 is.
What it is, and what it is not
Early in 2021, a gigantic credential leak, dubbed COMB21, was shared on some underground forums. This leak was a combination of many leaks shared previously and newly organized in files by email/username and password.
ROCKYOU2021 is not the successor to COMB21 – in fact it isn’t even in the same category. It receives its name from a famous password dictionary called ROCKYOU, which mostly appears in cybersecurity exercises and CTF challenges these days, where cybersecurity experts and CTF players will use it to attempt to brute force a login or crack a password.
And ROCKYOU2021 is just that. A very big collection of files containing a single word in each line representing a password, compiled from other wordlists and leaks. The passwords don’t come with usernames, emails, domains, or anything that can identify what that password unlocks, or what user is related to it. It does contain all passwords leaked in COMB21, although without usernames, which is what we believe resulted in some degree of confusion.
Password dictionaries have been around for a long time, and are typically used in two specific attacks:
- Brute forcing attacks: These well-known attacks consist of using a combination of potential users (or known ones) and a list of passwords to attempt to force a way into an application. This is akin to trying all combinations on a padlock.
- Password cracking: Having obtained the hash of the password they want to crack, an attacker could use a password cracking utility (such as HashCat or John The Ripper) to calculate the hash of all words within the wordlist in order to compare the result with the hash that they have, finding a potential match for the password.
For ROCKYOU21, the first option is not viable.
Let us illustrate with an example; if we had a known login portal, and a username that we know exists within, and if we assume a very generous average of 0.5 seconds per login attempt, it will take 135 years to try them all (one by one), and that’s without taking into account measures taken to deter these attacks, such as captchas, or a maximum number of login attempts.
There are ways to overcome this, such as sorting the password list by the most used, and parallelizing the requests, but most of the time you’re better off using existing password lists.
The second option on the other hand is certainly viable. HashCat is capable of, in ideal conditions and using an advanced GPU, calculating 9688 million hashes per second. Given an application, a username, a hashed password, and knowledge of how the hash of the password has been generated (hashing algorithm, whether it uses a salt, and so on), an adversary could try to use the list to compare it with the hash, potentially finding the password.
Regardless of the viability of such attacks, Blueliv’s recommendation is always to ensure strong, unique passwords across the enterprise, adhering to 16 characters and a combination of numbers, letters and symbols. These passwords should be routinely updated, and ideally combined with multifactor authentication via Google Authenticator, Duo Security or similar, for added protection.
For true peace of mind in the face of leaked credentials, CSOs should consider proactively defending against brute force attacks, password cracking attempts and more by investing in threat intelligence. Blueliv’s Threat Compass is one such solution, purposely built to help organizations prevent, detect, and swiftly recover from breached credentials.
If you are concerned about stolen credentials being used to breach your perimeter, speak to Blueliv today to find out about Threat Compass, our Credentials Module, and how we can protect your organization.