10 Million Passwords released
A security researcher has released 10 million passwords and usernames despite fears he may be arrested in the wake of Barrett Brown's sentencingReuters

In the wake of the unexpectedly harsh sentence given to journalist Barrett Brown, a security researcher has gone to great lengths to explain why he has released over 10 million username/password combinations and why the US government shouldn't arrest him.

Brown was sentenced to more than five years in jail on a range of charges, all of which stemmed from him posting a link on a private internet chatroom to a cache of stolen credit card information.

Brown's sentencing at the hands of Judge Samuel Lindsay was referenced by security researcher Mark Burnett when he posted his explanation as to why he published 10 million passwords and usernames.

"Recent events have made me question the prudence of releasing this information, even for research purposes. The arrest and aggressive prosecution of Barrett Brown had a marked chilling effect on both journalists and security researchers. Suddenly even linking to data was an excuse to get raided by the FBI and potentially face serious charges," Burnett said in a blog post entitled Today I Am Releasing Ten Million Passwords.

The passwords come from various leaks over the last five years that have already been released to the public says Burnett:

"None of these passwords are new leaks. They all are or were at one time completely available to anyone in an uncracked format. I have not included passwords that required cracking, payment, exclusive forum access, or anything else not available to the general public. You should still be able to find a large number of these passwords via a Google search."

Neglected

Burnett said that the reason he was releasing the content because "analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone."

The researcher says the data is "extremely valuable for academic and research purposes and for furthering authentication security" but said it was "absurd" that he had to write an extensive explanation defending his publication of the information.

Burnett has taken a number of steps to make sure the data he has released will not be used for illegal access to user accounts, including removing the domain portion from email addresses and removing information that appeared to be a credit card or financial account number.

Wilful

While Burnett is confident that he is in no danger of being arrested under current US law, proposed changes to the Computer Fraud and Abuse act could make his actions illegal in the future.

The replacing of "intent to defraud" and replacing it with "wilfully" in this part of the act will make it illegal to share this information as long as you have any reason to know someone else might use it for unauthorised computer access.

"As serious leaks become more common, surely we can expect tougher laws. But these laws are also making it difficult for those of us who wish to improve security by studying actual data. For years we have fought increasingly restrictive laws but the government's argument has always been that it would only affect criminals," Burnett concludes