A customer was doing an inventory of the files on their system, and they found files named passwords.txt
that were filled with somebody else’s passwords. The same file was found among both Microsoft Teams and Microsoft Outlook’s data files. What’s going on here? Are Teams and Outlook stealing passwords?
The clue is that the passwords.txt
file is in a subdirectory called ZxcvbnData
. zxcvbn is the name of a password strength estimator library developed by Dropbox. The library is available on GitHub, and the passwords.txt
file of the top 30,000 passwords is one of the things that zxcvbn uses to assess the strength of a proposed password. The other files in the same directory provide popular English names as well as names of popular United States television shows and movies.
But that’s not the only thing that zxcvbn considers when assessing a password’s strength. You can read their blog entry or watch their technical presentation.
So don’t panic about the passwords.txt
file. It’s there to protect you from bad passwords.
Bonus chatter: Sometimes, organizations are concerned because the passwords.txt
file contains unsavory words. It so happens that unsavory words are popular as passwords.
Funny, just today i was perusing some code a contractor wrote and the build folder had the same file. Strangely enough, the code didn’t even deal with passwords of any kind
This reminds me a story of some guy who shared his personal mail’s login/password with his boss for some urgent task, and his password was a phrase from some popular game. Boss asked him what does this phrase mean (he didn’t know about game) and when guy explained, boss fine him for «Playing games at workplace».
And then there are companies not believing that because their own passwords are found in it.
Unsavory words, you say? Just hash the passwords; that ought to solve that issue, as well as somebody finding their (often reused) password in that file. The Have I Been Pwned password file hashes the passwords, too, if not to prevent personal data from leaking in. I’m curious as to why Zxcvbn hasn’t done this?
Because then you lose access to the original password, which you need for trying variants of it. For example if the base unsavory password is goshgollydarnit then you need to be able to mutate it into various popular password-strengthening forms like Goshgollydarnit, goshgollydarnit1, goshgollydarnit1234, Goshgollydarnit1, and so on, none of which you can do if it’s hashed.
Hey! That’s the password on my luggage!
Somebody remind me to change the password on my luggage!
Very interesting. I’ll definitely look into it.
And finally, I get to click that heart button in this blog. There. I did it. ❤
My first thought: Zxcvbn – what a weird name for a tool. Then even weirder – zxcvbn itself appeared in passwords.txt! To my defense – on my keyboard it’s yxcvbn, but I am pretty sure I wouldn’t have recognized yxcvbn either.
It sounds like just the sort of random sounding name you might want to use if you were in fact making malware. And then having `passwords.txt` inside of it! No wonder orgs are concerned about it.