An interesting article about passwords security.
https://www.pcworld.com/article/2387530/hacker-leaked-10-billion-passwords-heres-what-to-do.html
Thanks for sharing, Bill. I meant to post about this.
The headline overstates the impact as the dump isn't all new passwords: most aren't. Most are from an earlier list that grows with each new smaller leak. But it's still good to remain vigilant! The article is more aimed at people who are using weak passwords. Don't be one of them!
Unless you've been using weak passwords, changing them isn't necessary. The leak is gargantuan unless compared to the number of possible strong passwords. For example, Diceware (https://theworld.com/~reinhold/diceware.html) uses a word list of 7776 passwords. Randomly use only three of them and you have over 470 billion unique passwords! Bill's linked article has some good recommendations on strong passwords. Go for length (16 characters or more). Complexity isn't as important. A password consisting of 8 random characters isn't good enough. You're not going to remember all these passwords. So, use a password manager and you only have to remember one.
Regardless, the leaked list wouldn't be used to brute force websites. Websites won't allow the bad guys to attempt billions or even millions of passwords. It is used by bad actors offline who compare it against stolen password hashes. Passwords aren't stored on most websites; the hashes are. Reverting hashes to passwords is impossible unless you compare them to a list of commonly used passwords.
In a brief article (https://www.malwarebytes.com/blog/news/2024/07/rockyou2024-nearly-10-billion-passwords-leaked-online), MalwareBytes notes :
QuoteTo cut a long story short, if you don't reuse passwords and never use "simple" passwords, like single words, then this release should not concern you. If you use multi-factor authentication (MFA), and you should everywhere you can, there's also no reason to worry about this.