
The password “ji32k7au4a83” has been seen over a hundred times - DoreenMichele
https://twitter.com/rqou_/status/1101331385632022528
======
jeena
I once used a password which our IT department gave me and it was !'a;@,oq and
at least for me it looked random enough. I had it as a root password on a
server and I enabled password login for about 2 minutes because I wanted to
resize some virtual hard drive or something and couldn't be logged in as a
normal user and then switching with su to root because then the normal user
would have open files on the file system and I wouldn't be able to unmount or
something.

Within those 2 minutes some chinese hacker scripts took over the server and
started DDosing some chinese IP adresses. We had to shut it down and blast it
and set it up from scratch again.

I later found out that this password was everything but random. It was
difficult for me to see because I've been using Dvorak for a couple of years
now and didn't see the pattern that it was just the first two rows of the
characters on a qwerty keyboard. So actually it was !qaz@wsx (I just put the
Dvorak version on top of the comment to give you the same unknown feeling for
the password which I had back then.)

I've never reused any passwords since then and always create new ones with my
password manager.

~~~
JdeBP
columns, not rows.

~~~
mygo
actually it was columns, he just put “rows” to give you the same unknown
feeling

------
shubhamjain
Related story: For some weird reason, I memorized the serial key for a very
popular software (I must be fifteen then). Even today, I can recite the
25-letter key without a hitch. And I have used its first ten letters as a
password to one of my accounts. Guess what? The password has been used 4000+
times before [1]. It's hard to digest the fact that there are at least a
thousand people in the world who did the same thing.

[1]:
[https://haveibeenpwned.com/Passwords](https://haveibeenpwned.com/Passwords)

~~~
shawnz
Is your password "fckgw rhqq2"?

~~~
shubhamjain
Holy shit! Now that I have changed the password, can you please tell me how
did you guess that?

~~~
ceocoder
Because bunch of us memorized fckgw rhqq2 yxrkt 8tg6w 2b7q8 for the very same
reason back in early 2000s

~~~
lsh
it's even on wikipedia:
[https://en.wikipedia.org/wiki/Volume_licensing#Leaked_keys](https://en.wikipedia.org/wiki/Volume_licensing#Leaked_keys)

~~~
shittyadmin
If I recall correctly this image helped make it famous:
[https://marco.org/2007/06/18/wow-fckgw-has-its-own-
wikipedia...](https://marco.org/2007/06/18/wow-fckgw-has-its-own-wikipedia-
mention-flickr)

------
swang
This is using the zhuyin keyboard which most likely means Taiwanese users
since Taiwan is probably the sole user of the zhuyin keyboard.

Typing that out on a zhuyin keyboard gets you: ㄨㄛˇㄉㄜ˙ㄇㄧˋㄇㄚˇ

In Pinyin that is wo3 de mi4ma3

Or in English "my password"

~~~
ilamont
For the unfamiliar, "ㄨㄛˇㄉㄜ˙ㄇㄧˋㄇㄚˇ" is an example of "bopomofo" script, the
phonetic system used to teach kids reading and pronunciation in Taiwan, and
adapted to Chinese keyboard input (zhuyin). I learned it in the 1990s studying
Mandarin in Taipei. It maps closely to pinyin romanization used in China
(i.e., "ㄨㄛˇ" = "wo3" which is the sound in the Mandarin dialect for "我" and
potentially other characters with the same pronunciation and tone. "我" means
"I" or "me").

I am wondering if it was modeled after Hiragana/Katakana during Taiwan's
colonial period?

~~~
tjpnz
It does have some resemblance to katakana. The first character at least looks
very similar to メ.

~~~
HumanDrivenDev
It comes from China, was developed in the republican era. It's based on a
shorthand modification of seal script - though Japan was very influential on
the elite of China at that time so it's possible Katakana played some role.

[https://en.wikipedia.org/wiki/Seal_script](https://en.wikipedia.org/wiki/Seal_script)

------
noobermin
I'm a scientist. Information theory always felt curious to me because it
adopted terminology and concepts similar to that from statistical mechanics
but in practice was always much more difficult due to what could be considered
what was "random" vs. what was non-random. After sitting back and thinking
about it, what is considered "random" of course is a statement of the
probability distribution for the set under consideration. For info theory,
that set is some set of strings (say passwords) which is really culturally and
historically contigent, while in physics land, the set is microstates that
determine macrostates, for which the degeneracy of a macrostate depends on the
hamiltonian, full stop. I think mathematically, of course the statements you
make are similar (hence why you apply the same prob theory to both) but the
systems I study are comparatively easier, while really, the underlying
probability distribution for strings is really hard to know in practice
because it essentially depends on human history and culture up to that point.
For example, in a universe without English, English words (say one-to-oned to
a discrete set, so strings of positive integers less than 26 + 10 (including
decimal numbers)) would be random. In fact, a universe without that particular
Chinese IME, if it was done somewhat differently, then ji32k7au4a83 could be
random.

It's just interesting to me, another reminder that physics is just that much
more easier than anything else.

~~~
andrewflnr
Hold up. In my physics classes, no one ever gave me a straight answer on what
constituted a "macrostate". It always sounded arbitrary for similar reasons to
the ones you describe for language. Are you telling me it's literally defined
by the energy of the system (the Hamiltonian, right?) alone?

~~~
Symmetry
The degeneracy of a macrostate is just a matter of the Hamiltonian but what
counts as a macrostate is, in a sense, arbitrary.

It's really just a state you, the observer, can distinguish. This would
typically involve things like pressure, volume, and temperature but if you
developed a new way of measuring the properties of a system suddenly the
possible macrostates multiply in number, each contains fewer microstates, and
the entropy of the state decreases. Take this far enough and you could create
a Maxwell's Demon to extract energy from thermal motion. But while it's
subjective in some sense it was later shown that our subjective knowledge of
the world is limited by the laws of physics in other ways and perfect
subjective knowledge is impossible.

So you could say that entropy is a measure of your ignorance about the exact
state of the world, which corresponds nicely to the information theory
definition. It's just that in physics everyone is in practice going to be
using the same pressure, temperature, and volume measurements while in
information theory what constitutes a macrostate is very fuzzy.

------
jedberg
From the linked Twitter thread: It's the Chinese equivalent of "password":
我的密码

~~~
thaumasiotes
Password would be 密码. 我的密码 is "my password".

In China they just use pinyin, so I was baffled as to how ji32k7au4a83 could
represent 我的密码. Turns out it's the keys you press if you have Taiwanese input.

------
ryukiegawa
After a brief Googling, a lot of Taiwanese websites are encouraging users to
come up with password by typing Zhuyin in English, and specifically giving
"ji32k7au4a83" (my password) as an example. So this may explains why a lot of
people actually followed the advice to the word.

~~~
usrusr
Interesting, so it's a Taiwanese correct horse battery staple, basically.

It's a bit sad to see how people in a position to formulate password
suggestions on a register form can fail so hard at realizing that a uniform
transformation of a dictionary word will still be prone to dictionary attacks.

------
acqq
Searching a little (it's easy because it's unique) and then automatically
translating 2014 article titled:

"How to set up a safe and easy to remember password"

reveals:

[http://www.netqna.com/2014/05/do-not-set-up-weak-
password.ht...](http://www.netqna.com/2014/05/do-not-set-up-weak-
password.html)

"4\. _Using Chinese input method_ :

For example, the phonetic input method of the four" (I guess in Chinese, op.
acqq) "words "My Password" is the combination of "ji32k7au4a83"."

Sure, safe. Just for you and everybody who read that. No problem at all.

And some user of some gaming(?) site used it for his username:

[https://web.poe.garena.tw/account/view-
profile/ji32k7au4a83](https://web.poe.garena.tw/account/view-
profile/ji32k7au4a83)

~~~
davik
Here's the entire translated version

Using the above principles, how can we design a good password?

Tip 1: Replace characters with ones that sound the same

For example, you can replace the letter e in succeed with the number 1 {note
this sounds the same in Mandarin}, so that it becomes succ11d, which is easy
to remember and combines numbers and letters.

Tip 2: Replace characters with ones that look the same

For example, you can replace the o in dog with 0 and it becomes d0g. It mixes
letters and numbers.

Tip 3: fill with special symbols

For example, the above password d0g is not long enough, so you can add special
symbols at the end, e.g. d0g!(!(!(!(!(!(, it will be easy to remember, but
hackers will need 12,340 centuries to crack it.

Tip 4: Using Chinese input method

For example, the phonetic input method of the four words "My Password" is the
combination of "ji32k7au4a83". At first glance, it is a random combination,
but it is meaningful.

Pretty hilarious all around, anyone checked if d0g!(!(!(!(!(!( is in the
database too?

~~~
pishpash
The hilarious part is these are used as examples to illustrate an algorithm,
not to suggest you use them as actual secrets.

~~~
usrusr
No, the algorithms are bad as well. Transformed dictionary is hardly any
better than dictionary if the transformation isn't unique.

All those annoying rules about required character classes are mainly there to
prevent dictionary attacks, but "s3cr3t" is not much of an improvement over
"secret" ("s4cr5t" would, because it's not the result of a popular
transformation).

~~~
pishpash
Not much of an improvement, but never worse -- unless the function is not
injective. You can't argue with Kolmogorov complexity. If the algorithm is
secret and has computational complexity it gets better.

~~~
usrusr
Sure, but we are talking about trivial substitution schemes here. I could have
been more specific.

------
mar77i
That follow-up tweet freaks me out. What does that have to do with anything,
really. I think it's rather unprofessional and would prefer people not make
self-congratulatory statements about their personal beliefs.

~~~
Zeklandia
How condescending and moral relativistic of you to say that there is a wrong
time and place to assert what is and is not a human right, that there is no
unselfish reason to do so, and that human rights are merely a matter of
individual preference.

~~~
mar77i
How are trans people excluded from human rights, again? I seem to have missed
that part in my source [0], because that should certainly be covered most
formidably by article 3, "Everyone has the right to life, liberty and security
of person".

[0] [http://www.un.org/en/universal-declaration-human-
rights/inde...](http://www.un.org/en/universal-declaration-human-
rights/index.html)

~~~
Zeklandia
Rights that aren't asserted are not likely to be respected. Yes, of course
these rights apply to everyone, but the laws and policies being enacted aren't
taking those rights away from everyone, they're taking them away from trans
people. If there were laws passed to do things like prevent cisgender men and
women from using anything other than unisex bathrooms, it wouldn't make much
sense to rally support for trans rights, would it? But that's not what's
happening, what's happening is an infringement against trans people,
specifically. Would it make much sense for firefighters to ignore individual
fires and only put fires out when everything was on fire?

~~~
mar77i
> Rights that aren't asserted are not likely to be respected.

I don't see that happening at all. I find this whole activism trope a
dangerous game, they indoctrinate each other with a mindest to disregard
empirical data and disrespecting authorities put in place by governments.

> do things like prevent cisgender men and women from using anything other
> than unisex bathrooms

I'm pretty convinced that where I live you can use whichever bathroom you
like, while dressing like the unicorn you are. I'll still be using a urinal,
though, because I don't want to make a mess for people, cis or not cis, that
need to use the bathroom for more serious business.

> infringement against trans people, specifically

I condemn violence, especially against one-legged single-parent dwarves. They
deserve better and you damn well know it.

~~~
0x262d
you are a bigot in denial. have fun being hateful!

------
meruru
Let this thread be a reminder for everyone to use a password manager.

~~~
cantrevealname
I'm willing to bet that a major upcoming security disaster is a compromised
password manager that leaks out tens of millions of accounts and passwords in
nicely structured XML that's perfect for automated attacks and frauds.

Yes, I use a password manager too, but an ancient one that has no Internet
connection, no syncing, and no cloud storage.

The only "modern" password manager I've been able to find that works
completely offline and is open source is KeePass -- _so long as you don 't
install any of its plugins that open it up to Internet access_.

~~~
jjnoakes
What I do is use a password manager, but when it enters a password into an app
or site, I type a few more characters after the end of it before logging in.

Kind of a secondary master password that's not stored anywhere except my
memory and my safe.

Best of both worlds in my opinion.

~~~
peanutz454
This is awesome! (I think). I've never used a password manager, because I was
afraid one breach there is worse than many breaches everywhere else. But, I am
curious, if I use a complex formula in my mind to create passwords that are
unique to every website I visit, and I store those in Chrome am I not safe?
The only problem I see is that I do not update passwords regularly.

~~~
usrusr
If that database in the browser ends up somewhere it should not, a curious
attacker will have a nice list of examples to figure out the formula. I share
your vulnerability and "password manager + brain-stored component" has been my
unexecuted upgrade plan for many years.

------
cyberferret
I just keep the RandomKeyGen [0] site on the top of my bookmarks, and whenever
I need to set a password for a newly spun up server, or SQL DBA admin password
etc., I just pick a random one from there.

Advantage over a password manager? - sometimes I have to document what the
password is in offline technical notes or a password vault for the customer,
and doing it this way lets me kill two birds with one stone.

[0] - [https://randomkeygen.com/](https://randomkeygen.com/)

~~~
fxfan
Is there a similar site that makes memorable passwords but long? (basically I
get entropy and can remember if needed). I use keepasaxc which doesn't have
this.

~~~
camtarn
Try [https://www.rempe.us/diceware/](https://www.rempe.us/diceware/)

Disclaimer: I don't know much about this site and don't have any trust
relationship with it. Have a read of the FAQ on the page and verify for
yourself.

------
codetrotter
Speaking of good passwords, I wrote a passphrase generator once that I still
use to this day. You can have a copy of it if you’d like. The README explains
all there is to know about it but feel free to ask any questions anyone might
have.

[https://github.com/ctsrc/Pgen](https://github.com/ctsrc/Pgen)

~~~
jen729w
One of the password generation tools -- so long ago I forget which one, but
probably 1Password -- generated a password for me, and I loved the scheme it
used. I still use a variety of it but now I make them up myself. The rules:

1\. Make up a short nonsense word (so it's pronounceable).

2\. Pick 3 numbers.

3\. Make up another short nonsense word.

4\. Concat them with hyphens, capitalising the first letter.

So let's go with...

    
    
        Terp-745-mula
        Mang-288-pung
    

The benefits:

1\. Heaps 'o entropy. Need more? Just make longer words.

2\. Crucially: _really_ easy to type on an iOS keyboard. You often start with
caps on by default, and the dash-number-dash sequence in the middle only
requires one use of the symbol shift key.

3\. And, of course, fairly memorable.

I still use 1Password and the vast majority of my passwords are 16 characters
of truly random nonsense, but for those times that you want a memorable
password that you'll actually type quite a bit, this is gold.

\---

And now I await the inevitable teardown of this method ... what did I miss?
:-)

~~~
meruru
An attacker that knows your algorithm can restrict the search space to only
sequences that follow the algorithm.

~~~
eitland
That's why when I describe my password generation scheme - which is _kind of_
similar - I never pinpoint it. Oh, and I don't necessarily stick to it as long
as the result is a good password ;-)

But yes, entropy is lost if you decide it has to be pronounceable. On the
other hand pronounceable is in the eye of the beholder and a it allows me to
memorize long sequences of nonsense (up to the point where it gets annoying to
type for someone who consequently lock his computer every time.)

For everyone who are just starting to think of this here are some more tips:

\- Do store passwords in a password manager! The only reason to memorize
passwords is because you need the password for your password manager and your
OS and certain other things available even if you aren't logged in to your
password manager.

\- Use real two factor auth whenever possible. Please be aware though that
just adding "sms something" doesn't necessarily make things more secure. A
common (AFAIK, and sadly) mistake seems to be to use SMS for both password
reset and for the second factor. In this case whoever gets access to you phone
for just a moment can reset your password and immediately get a "2-factor"
login code as well. (Scare quotes because this isn't 2-factor since one only
needs access to one thing, the phone, to get access in this case.)

\- Some people will say that using SMS at all is hopeless, but from what I can
see they can still make sense in a number of cases: not everyone has targetet
attacks from three letter agencies (domestic or foreign) as part of their
threat model. More people have - or should have - a point about losing access
to login information as part of their threat model I guess.

------
rawmodz
in Taiwanese, sometimes we "encode" message by pretending typing bopomofo
[https://en.wikipedia.org/wiki/Bopomofo](https://en.wikipedia.org/wiki/Bopomofo)
while input method is english just like here "My password" => "我的密碼" =>
"ji32k71u4a83"

------
redisman
I can imagine the cold sweat of reading this title when that is actually your
password

~~~
dmurray
I'm curious to know if this is right. If you use the zhuyin keyboard method,
wouldn't you just remember your password in Taiwanese, and not even recognise
the version in Roman characters?

------
albertgoeswoof
Am I the only person that thinks it’s weird that we encourage using unique
passwords everywhere, but the second piece of information needed to login
(username, email etc) we tend to keep the same for everything?

I posted a Show HN last night for a side project I’ve built that can solve the
email part of this:
[https://news.ycombinator.com/item?id=19296936](https://news.ycombinator.com/item?id=19296936)

~~~
james_s_tayler
I did a cheap version of this where I didn't have to build anything but I
could test out the concept because I thought it would be awesome and I thought
I wanted it.

Long story short it became problematic pretty quickly and I ditched it. You
need to also be able to reply as that email address too etc. It's been done a
bunch a times I understand.

~~~
Sharparam
For my custom domain I set up a catch-all so *@sharparam.com gets routed to my
main address. If I end up needing to reply from such an address I set up a
proper alias for it (currently I use GSuite to manage it).

~~~
albertgoeswoof
Another alternative if you don’t have your own domain is to put a plus in the
email address. The mail server will ignore anything after that plus, eg
johnsmith+facebooklogin@gmail.com will have all email sent to
johnsmith@gmail.com, but it will preserve the To header in the email.

This is useful for detecting the origin of spam, however it’s trivial for a
spammer or hacker to workaround (just strip the plus and anything after it
before sending)

------
pishpash
Some sites are throwaway (example: they force a sign-up). Don't assume all
weak passwords used are not conscious decisions. Entropy is too precious to
give up to throwaway sites of uncertain backend security.

~~~
meruru
What do mean by giving up entropy? Password reuse? You can use a password
manager to generate a secure pass for every site, there's no excuse for weak
passwords.

Here's a few I made with `pwgen`, get it while it's hot:

    
    
      aiPh9toh_ti{XeS(a=a9ohCheeV`o8pu8woh3Epu  
      ahth6AiT6xahaiw:ie1li`xeeF0ohf!ikeih4Joh  
      zah6cusohNei6feithain4aeH5uul5coh/nap0ea  
      uet7ed"ohhooquoosh3ooh8ZeeY+iepeg0eewena  
      UuNg'aes:i!Quohp0eiGh1ibieghe&o9eiSh7ac9  
      aexu0Vio3eitheiV=aiweo$ng@u3Seidoo-phoV1

~~~
maksimum
I'd like to try out #3. "zah" has a nice ring to it. Do you guys minding not
using it?

~~~
meruru
It's yours :)

------
lnyng
Searching for that password for pages on or before Feb 27, 2019 does the
trick:
[https://www.google.com/search?q=ji32k7au4a83&client=firefox-...](https://www.google.com/search?q=ji32k7au4a83&client=firefox-b-1-d&source=lnt&tbs=cdr%3A1%2Ccd_min%3A1%2F1%2F2015%2Ccd_max%3A2%2F27%2F2019&tbm=)

------
usernam33
Even though it turned out to be perfectly explainable why this seemingingly
random password is used so often, I find it a great opporturnity to self
promote my more secure version of passwords:

[https://news.ycombinator.com/item?id=19290613](https://news.ycombinator.com/item?id=19290613)

------
mnemotechny
Just maybe many taiwanese people use it. Or kids.

------
feintruled
I can relate. I thought I was being smart with 1qaz2wsx only to be pretty
shocked when it appeared in a last of top ten passwords!

------
balabaster
I wonder how many people use uuddlrlrbastart

I'm sure there are so many culturally significant codes that get used as
passwords all the time.

------
chiefalchemist
Let's consider the scale for a moment. How may people? (Billions, yes?) How
many accounts? (Min: 10x those billions).

Or as I like to say when I see stupidity online or on TV: There are close to
seven billion people in the world, dumb shit is bound to happen.

p.s. You're assuming that those first 10 characters are random and unique. But
perhaps, not really. Maybe it's two 5 char strings of some other significance?

------
carapace
Forgive me if it's been mentioned already, here is the dish on passwords v.
pass phrases FWIW.

[https://www.xkcd.com/936/](https://www.xkcd.com/936/) "Password Strength"

"Diceware"
[http://world.std.com/%7Ereinhold/diceware.html](http://world.std.com/%7Ereinhold/diceware.html)
[https://en.wikipedia.org/wiki/Diceware](https://en.wikipedia.org/wiki/Diceware)

------
basicplus2
I prefer to use the last 4 digits of pi..

------
vlg
And7hisIsWhyYouUse4PassLikeThis123.

------
cronix
I like how they took the opportunity of the popularity of the post to promote
their political viewpoints on trans people (post immediately under first post
by same author). It just makes the first post look like clickbait. Why do
people feel the need to introduce politics into something that isn't political
once they get an audience? Boo.

~~~
jzymbaluk
Plugging something when your post blows up on Twitter is a time honored
tradition, usually someone will plug their sound cloud or Instagram in an
attempt to capitalize on the attention. This author chose to direct attention
towards an underprivileged group, and you're angry about it? Get over
yourself.

~~~
cronix
I didn't state I was angry, and I'm not lol. I just thought it was stupid.
Maybe don't assume things not stated?

------
virgakwolfw
If you just use the latter part "au4a83", which is "password", it's been seen
more than thousand times on HIBP. And the best part is, If you tried
"ji394su3", it's 20000 times! Want to guess what is it? It's "I love you" lol

------
Thermolabile
So, maybe it's not random as it seems?

------
appsonify
qlalqjsgh is my password.

------
egmu0987
hunter2

------
ohiovr
Probably the same guy reused it a hundred times on a hundred different bitcoin
exchanges that all got hacked. (tongue in cheek I hope)

