dark mode light mode Search Menu

10 Million Passwords

Mark Falardeau on Flickr

This project is a little different from other projects in this magazine. It’s a case study based on real life facts and dilemmas, including the risk of prosecution and jail.

This project works best in a group where everyone takes up the different points of view and debates possible solutions to the problem. You can role play but it’s not required. There is no right answer. And it’s a terrific opportunity to learn how some technology-related problems have no perfect solution. Instead, we have to understand and balance interests.


The participants are the US FBI agency, companies like Facebook and Google with an interest in online security, the public with an interest in protecting their data online, and Mark Burnett, a private security consultant. Each participant is described in more detail below.

Mark Burnett is a private security consultant, author, and researcher who specializes in hardening Windows servers and networks. Part of his work requires analyzing passwords to identify patterns which can be used to create more secure passwords, as well as identify easily compromised passwords. He recently wrote an article, Today I am Releasing 10 Million Passwords. The article justifies his release of this username and password data to possibly ward off prosecution by the US government.

The Federal Bureau of Investigation (FBI), acting on behalf of the US government, wants to minimize security risks to public, government, and private computer networks. Other governments have similar agencies charged with protecting their computer networks and prosecuting illegal activity.

Google, Facebook, Microsoft, and other companies large and small, in the US and elsewhere, want to share sensitive research data to help them secure their computer networks, for example, to identify comprised usernames and passwords. This sensitive data, released as is in the wild, would lead to significant criminal activity, for example, identity theft and stealing money from bank accounts.

The public ideally needs some of this sensitive data to be publicly available to determine if their username or password is compromised. They also might like to know companies and researchers are using the data to identify methods to keep their personal data more secure online.


Here is the situation for participant or group, in general terms, followed by questions you can discuss and debate.

Mark Burnett and other researchers have to take into account, best case, that the US and other governments interpret some of their research work as violating laws and, therefore, subject to arrest and jail. Worst case, researchers want to avoid becoming a target for prosecution. Best case, researchers want the laws to be clear and unambiguous, as well as allow secure use of sensitive data for appropriate research projects.

For example, a journalist, Barrett Brown, linked to publicly available password data and was raided by the FBI, prosecuted, and thrown in jail. Brown also had written about Anonymous, the hacktivist collective, as a social phenomenon. In Burnett’s article, Today I am Releasing 10 Million Passwords, he believes the Brown arrest and prosecution were due to Brown publishing a book about Anonymous with linking to publicly available password data as a convenient excuse to punish Brown. The case also happened about the same time as WikiLeaks published data from Chelsea Manning about illegal US government activity.

Mark Burnett and others believe the Brown case has caused journalists to avoid reporting on groups like Anonymous, in an effort to avoid prosecution, despite the vital public policy interest in the subject.

Mark Burnett has username and password data of great value to other security researchers, businesses, the public, and criminals. He wants to share his data safely with non-criminals. He wants to avoid an FBI raid and possible prosecution based on the Barrett Brown case as a precedent. For example, he has gone to great lengths to make his username and password data not be traceable to individuals.

Any government has at least two possible options when it comes to security. It can and should use the law to identify and prosecute criminals as defined by laws. Governments also can use laws to make examples of people, even with flimsy cases, to ward off potential criminals and activity the government views as criminal or potentially criminal. This second use of laws is informal, almost always happens with any government over time, and is likely to have as much positive effect as negative effect.

In the Barrett Brown case, which Burnett cites as reason for his caution about releasing his username and password data, the government filed a number of charges, from threatening an FBI agent to trafficking in stolen authentication features. The latter charge was for linking to publicly available data, perhaps an example of using the law to make an example of Brown.

Private and publicly owned companies are primarily concerned with security as a means to encourage sales to sustain their businesses. Theft has a negative impact on profits. Customers who do not trust a company due to security concerns will not buy products. Helping customers feel secure also helps businesses create a positive impression with their customers.

For customers, security is a necessary evil. In an ideal world, customers who use the internet and other online services want to know their data is secure. Telling them their data is secure is not enough. Some number of customers want to be able to validate their security, for example, by securely searching a password database to see if their passwords are compromised. They also might like to know banks and other companies actively do the same research and validation over time.

Here are possible questions to discuss and debate:

— Are there other details about their situations, obvious or hidden, not considered in this description of how researchers, governments, companies, and customers view security?

— How accurate are details about how each group views their situation?

— How does each group view the situation of others? For example, does the FBI take into account the needs of the public to validate their password data is not compromised? Or does the FBI believe the need to prevent criminal use of sensitive data trumps the public right to know if their passwords are compromised?

If this case study is done in a classroom setting, the students and teacher(s) also might recruit parents or others with professional experience with security research, law enforcement, and related skills to discuss these questions and solutions.


Here are possible solutions for each participant based on the situation, as well as questions to ask.

— Researchers want to know following rigorous data cleansing to remove identifiable data allows them to share their research in public for the benefit of everyone.

— The government wants to ensure laws are not violated and, if they are, that enough prosecutions happen to prevent and scare off other criminals. The government also wants to ensure personal and business data is not compromised by public disclosure. The US White House, for example, wants to change the law to prosecute anyone who willfully releases authentication data. Currently, the person who releases authentication data must do so knowingly and with the intent to defraud. The new White House changes would criminalize any release of password data, no matter how anonymized or carefully scrubbed by researchers.

— Companies want to protect their customer and business information. They also want to help their customers feel secure enough to do business.

— The public wants researchers, the government, and private companies to strike a balance that allows enough research to identify how to be secure online, prosecute criminals, and ensure their private data is secure online when they give the data to private companies.

Given these participants, the situation, and possible solutions, here are possible questions to discuss and debate:

— What would happen if researchers got to do what they wanted?

— Should there be no restrictions?

— Who would define how much data cleansing is needed?

Ask the same questions for the government, companies, and customers: what would happen if they got to do all they wanted? Think through all possible impacts on the other participants and how they might handle different solutions.

How would you balance the conflicting interests of researchers, government, companies, and customers?

Learn More

Use these resources, any additional you can locate online, to inform your discussion and solutions.

Today I am Releasing 10 Million Passwords


The Strange Case of Barrett Brown


Adding 105 Charges Against Barrett Brown


Facebook Now Actively Seeks Password Leaks to Protect its Users