A security analyst and hacking author just published 10 million web usernames and passwords in the name of academic research. US-based network security expert Mark Burnett announced the news on his blog on Monday.
Burnett believes the data will help security researchers determine how people choose their online credentials and how to make the internet a safer place to store information and protect it. But he admits that what he has done is ethically “close to the line.”
Typically, Burnett writes, researchers only unveil passwords alone for research purposes. Password databases help companies see the most commonly used codes and, in turn, they can discourage customers from using lousy passwords like “password” or “12345678.”
But working out what happens after passwords are published alongside usernames “has been greatly neglected” by researchers, Burnett says.
Burnett’s project has raised a few eyebrows. As he prepared to unleash the potentially sensitive data onto the web, he wrote a long blog post about why the FBI shouldn’t track him down and punish him for trafficking in hacked information. Burnett is also challenging the law surrounding research into online security and information, which he believes makes looking at and studying hacked information equally criminal as actual hacking.
He says the FBI shouldn’t arrest him because he is not intending to assist hackers who want to defraud people by using others’ passwords:
In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorised access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorised access.
Burnett also says he thinks many of the passwords are “dead”: they’re old; are taken from places where users would be told if their details have been compromised; and have been publically available for some time.
“To the best of my knowledge, these passwords are no longer valid and I have taken extraordinary measures to make this data ineffective in targeting particular users or organisations,” Burnett adds.
Burnett told Forbes that under new proposals from the Obama Administration to change the Computer Fraud and Abuse Act he’d likely get into more trouble with the law.
He told the publication that “the government needs to be aware there is a balance between research and laws are made to punish people.” There’s a big difference between crime and academic study (usually), after all.
Today, Burnett answered a bunch questions about the work. To people who believe he is helping hackers, he says that if hackers need the list it shows they’re probably not very good at stealing from people.
But he admits what he has done is “close to the line.”
Although I have justified the release of these passwords, I have to admit it is at least close to the line. I have considered releasing this data for a number of years and have put much thought into the ethics involved; it is not something I take lightly. I could have replaced all the usernames with random numbers or hashes, but I felt like the usernames just had to be included. I did make sure to remove domain names from email addresses and other identifiers so that they couldn’t be directly linked to specific accounts. I also aggregated data from many sources so that this data could not be used to target any particular site. The thing to remember here though is that I am not releasing this data, I have just aggregated and cleaned up already public data.