Why This Security Researcher Just Posted Millions of Passwords

A security consultant just published 10 million password and username combinations, and one of them might be yours.

The security researcher, Mark Burnett, isn’t an ill-intentioned hacker. Rather, he’s published millions of online credentials in the hopes of better researching password security. Posting the information could allow other security researchers to gain a better understanding of how we choose passwords and usernames, and ultimately make us safer.

Burnett picked up the passwords from a random sampling of dumps already dotted around the Internet, so he’s not hacking accounts and stealing credentials. Instead, these passwords are already out there. Plus, many of them are already obsolete, Burnett says.

Still, some might argue Burnett is breaking the law by publishing the credentials, and he runs the risk of running afoul of law enforcement for publishing credentials.

Here’s Burnett on his blog (hat-tip to Gizmodo):

Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone… In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.

Contact us at letters@time.com.