[thom]

Because people don’t choose random passwords on the whole. So for every person who is revealed to have used zxcvbnm1234567890 as a password, there is a chance others have too. Obviously not for every password, but every large leak of actual passwords adds some that will match elsewhere.

[ryanlol]

I don’t see how this leads to an increased hit rate, now you’ll just be making more incorrect attempts.

Only way I see this kind of working is if you’re cracking the passwords offline.

[thom]

Yes, that’s one use case. Let’s say you have a database of actually properly hashed passwords. What passwords are you going to prioritise to try first? Every plaintext leak adds to the list of passwords you’d be sensible to try before brute forcing. Plus even for online attacks like password spraying, you’ve got to get an idea of common passwords from _somewhere_ and this leak inevitably adds to that. The only point I’m making is that humans are similar and therefore there’s always a chance they pick similar passwords. Therefore even if all LJ users have since changed their passwords, there are still many risks.