Hacker News new | past | comments | ask | show | jobs | submit login
The password “ji32k7au4a83” has been seen over a hundred times (twitter.com)
771 points by DoreenMichele on Mar 3, 2019 | hide | past | favorite | 271 comments

I once used a password which our IT department gave me and it was !'a;@,oq and at least for me it looked random enough. I had it as a root password on a server and I enabled password login for about 2 minutes because I wanted to resize some virtual hard drive or something and couldn't be logged in as a normal user and then switching with su to root because then the normal user would have open files on the file system and I wouldn't be able to unmount or something.

Within those 2 minutes some chinese hacker scripts took over the server and started DDosing some chinese IP adresses. We had to shut it down and blast it and set it up from scratch again.

I later found out that this password was everything but random. It was difficult for me to see because I've been using Dvorak for a couple of years now and didn't see the pattern that it was just the first two rows of the characters on a qwerty keyboard. So actually it was !qaz@wsx (I just put the Dvorak version on top of the comment to give you the same unknown feeling for the password which I had back then.)

I've never reused any passwords since then and always create new ones with my password manager.

I appreciate that you thought about your reader enough to alter the password initially for narrative strength. That's really clever.

I also use dvorak, saw the pattern and was expecting the punchline of your post to be "the sysadmin used dvorak so I didn't recognize the pattern".

L idk c;ukman d; L hag jklfhks ajo lgka...

I use colemak so I had neither any idea...

> So actually it was !qaz@wsx (I just put the Dvorak version on top of the comment to give you the same unknown feeling for the password which I had back then.)

Great narrative trick.

Bravo, Keyzer Soze.

columns, not rows.

actually it was columns, he just put “rows” to give you the same unknown feeling

Thanks, I'll change it.

edit: damn, too late I can't change it anymore.

Related story: For some weird reason, I memorized the serial key for a very popular software (I must be fifteen then). Even today, I can recite the 25-letter key without a hitch. And I have used its first ten letters as a password to one of my accounts. Guess what? The password has been used 4000+ times before [1]. It's hard to digest the fact that there are at least a thousand people in the world who did the same thing.

[1]: https://haveibeenpwned.com/Passwords

Is your password "fckgw rhqq2"?

Holy shit! Now that I have changed the password, can you please tell me how did you guess that?

It's probably the most famous software license key, it can even be found on Wikipedia: https://en.wikipedia.org/wiki/Volume_licensing#Leaked_keys

Because bunch of us memorized fckgw rhqq2 yxrkt 8tg6w 2b7q8 for the very same reason back in early 2000s

If I recall correctly this image helped make it famous: https://marco.org/2007/06/18/wow-fckgw-has-its-own-wikipedia...

That fact that it's even at the risk of being published on the public web should be enough to disqualify it as a passphrase for everyone.

I've had users use parts of lesser known poems or stories in some foreign language, because who would expect that, right? Turns out that's not what's relevant to a good password but rather whether it is in any available corpus.

If your passphrase consists of something likely to be in wikipedia you are guaranteed to get owned in minutes.

I memorized the win95 one (legit copy) which was easy since it was just digits (and I was way younger). It ended in 18805 iirc. Win98 was a copy from a friend and already had letters, much harder, but I eventually memorized that to. It started with g3pdy bdkv7.

Now that I think of it, a non pirated OEM windows key would have made for a great password. ;)

Perhaps it's a bit late for this now, but one very easy to remember Windows 95 key was "111-1111111"

Ahh, good old F* George W.

Yeah, I had that one committed to memory in highschool.

Yup. One of the most famous longer numbers out there.

That was the always best trick with new installations. This brings back memories :)

Devil's Own

I preferred the rm233 2prqq ... one myself :)

Lol. Warez. It's been a long time.

To some. :P


Sorry to scare you! I didn't think you were still using it. Honestly, it was the first thing that came to mind in terms of "culturally important serial keys"

It's a pretty well-known leaked key. And then you said exactly what part of it you used. Not the smartest move.

It's like saying "My password is the first 10 characters of a really popular book about wizards" and expecting no one to figure it out.

I didn't know the well-known part. Besides, I was assuming that this was only of the multiple, multiple keys. But, it's funny how popular it is, and that so many had a reason to memorize it.

Even if you've provided information which narrows your password down to ~5,000 possible values, you've effectively handed out your password to one of 5,000 internet strangers whom you will never meet in real life.

Then consider that this is Hacker News, and how many of those 5,000 have both the skills and motivation to exploit the information you've provided.

Never give out "hints" about your password. Not its contents, not its exact length, the physical location in which you store a copy, nothing.

Plot twist, he's actually phishing this forum for the "I used that password too!" comment replies.

_Taps side of head with index finger_

If giving out the length hurts anything, there's enough going wrong that you should probably assume it's already compromised.

Unless there's something fundamentally wrong with the password, a public length of n is almost as secure as a secret length of n, and significantly more secure than a secret length of n-1

Never get into the specifics of a password, but explaining the basic structure should be a tiny impact and well within your margin of safety, or you didn't make a good enough password to start with.

While you're correct mathematically, I still think it's a good habit to give zero information about your password. If you attempt to estimate the information leakage with every "hint", sooner or later you'll slip up.

My view is your secrets should be secure even if the attacker knows everything about how they are generated and used. For example: My password is 8192 characters long, leveraging only the ASCII character set (except \n\r\t\0) It is changed every 28days at 11:05am It is only used on exactly 1 website and the username on that website is also only used on that website and randomly generated as well.

Good luck (Tell me how and where I can make this stronger)

> Tell me how and where I can make this stronger

Make it 8193 characters long, change it every 27 days at 11:04am, but most importantly: use it on exactly 0 websites.

Good luck

With your username, I actually believe you...

This is a very hilarious post. Bravo, sir, or brava, madam. (Revealing your gender would likely be a security risk - if you leave that unspecified it doubles the space of possibilities!) I don't know what joyless types would downvote you.

Telling someone your password is 8 characters long and memorable vs telling them it is 8192 characters long and unrecallable are two entirely different things.

I'm willing to believe that if you could help me understand a bit more why that is so.

Think of it this way: assume someone is trying to brute force your password. For simplicity let's say they know nothing about it, except that its characters are randomly drawn from a 50 character pool. As they guess passwords starting with 1 character, each added character takes 50x longer than all previous guesses put together to guess all possible passwords of that length. Put another way, if they knew the length beforehand, it would only save them from testing about 2% of the overall possible combinations.

Gotcha. I guess I was unclear about what "almost as secure" meant in this context.

So whether providing your length is a tangible security leak or not is essentially a function of the size of your character pool, because if your password is short enough for n-1 to contain a significant percentage of possible combinations then it's probably already short enough to brute force anyway.

That's not right. You can make a secure password using only ABC as your character pool, if you make it 60 characters long. In that case the percentage of combinations covered by n-1 is a full third of the n character combinations, and your attacker can get a 25% speed boost by you revealing the length. But it's still more secure than a 59 character password, and far more secure than a 57 character password, and all of them are extremely secure.

A good way to look at it is to measure the password in bits of randomness. At most, revealing length can shave off one bit. For any reasonable character set it shaves off a small fraction of a bit. And one bit does not make the difference between good or borderline or bad.

A 25% speed boost is what I would call a significant percentage. Especially at 60 characters. My statement holds up.

What you're missing is that a 59 character password (with secret length) is extremely secure, despite the even larger speed boost.

If you worry about any speedup in password cracking that is less than an order of magnitude, your password was too close to failing to start with. Make your password 5% longer, which will make it at least 20x slower to crack, and then you won't have to care if "20x" gets reduced to "15x".

You may say "It's not harmless to give up 25%. What if I give up 25% several times? That could make even a good password become insecure." but there's a limit to how much speedup someone can get from knowing the structure of your password. And the best way to evaluate the strength of a password is to assume that all the structure is public. So I can say that my typical passwords, being 20 mixed-case letters and numbers, all have a security of 2^119. It's possible that an attacker that uses the wrong algorithm would have to guess even more, but I'm not just worried about a clumsy attacker, I'm also worried about a moderately-high-quality attacker. It's a bad idea to depend on that extra .1 bit I could get with this character set, or that extra .4 bits I could get with a smaller character set. Just assume the length is known.

I'm confused about how that has anything to do with disproving my conjecture that whether whether providing your length is a tangible security leak or not is essentially a function of the size of your character pool, because if your password is short enough for n-1 to contain a significant percentage of possible combinations then it's probably already short enough to brute force anyway. You're just redefining what "secure" means.

I think we disagree about what a "tangible leak" is. I don't see it as tangible because it's eating into a tiny margin that you never should have counted in the first place. You do see it as tangible because it might make the attacker's job faster by several percent.

And that's fine, we can have different opinions on that part.

But "probably already short enough to brute force" is definitely not right. That percentage depends entirely on character set, not the length of your password. If your password is just numbers, then n-1 always has 10% as many combinations, whether your password is 5 characters long or 200. If you meant "probably already weak enough to brute force" that's not true either. Lots of passwords with mixed case and numbers and symbols are very short and pretty weak. Lots of passwords with only letters are very long and quite strong because they're made-up phrases. You can't guess the strength of a password just by knowing the percentage of [length n-1 combos] / [length n combos].

But 10% of 100 is magnitudes different from 10% of 10,000. The smaller the length, the more each percent (in terms of entropy) matters when we're talking about complexity as a function of brute force time.

And by that metric losing 2% of 1000 is a far bigger problem than losing 10% of 100,000. I agree that length is the most important factor, I'm just saying that character pool isn't very important to final security.

Only if you have a sufficient length of n.

You need "sufficient" n no matter what your character pool is, and knowing the character pool of a password doesn't let you reliably predict if n is sufficient.

I wasn't making that claim.

Then I have absolutely no idea what you were trying to claim in the second sentence of https://news.ycombinator.com/item?id=19304761

But we don't seem to be resolving anything so I'll just hope you have a good week.

You indirectly state that I claim "knowing the character pool of a password lets you reliably predict if n is sufficient."

Please point to the part of my statement which reflects this idea.

We'll take 60 possible characters (alphanumeric with caps and a few special characters). The summation 1...N of 60^x is (60/59) (60^N - 1). Known length is 60^N. If we assume N is big enough that the minus one isn't important, you can see going from known to unknown only increases the guesses by a factor of 60/59!

Sure, many of us have the skills to exploit that information, but the motivation? This isn't Mos Eisley.

Well I was referring to the intersection between the two. Out of all of the potential people to see OP's post here, there is a much higher likelihood of at least one of them containing both the skillset and the motivation required to exploit the information than on other popular aggregators.

I can already see it. 2 weeks later he will post about having made a fortune with BTC and losing it all.

Lord of the rings?

I feel like that doesn't meant the description, and I really want to know if I'm missing a famous fantasy series.

Does Discworld count?

Like Harry Potter?

First 10 characters, so it would be: harrypotte

... I need the dunce sorting hat.

Must be The Wizard of Oz??

I'm only guessing, but this could provide a clue: https://www.google.com/amp/s/www.urbandictionary.com/define....

What the actual hell. Who even remembers the key? And more importantly why? Why would you install XP once a week to remember it?

I'm shocked by this subthread!

Popular electronics stores would do a in-store setup of your computer before you left with it. Part of this involved entering the users name and windows key.

I probably used the same key to setup over 1000 PC's when I worked there.

'Back in the day' regular formats were a pretty good way of maintaining system performance. They still are really but computers being an order of magnitude overpowered for all the tasks 90% of users do makes it less relevant. You'd be surprised how easy it is to memorize long series of digits when you enter them a few times. For instance FCKGW. Who was the president in 2001? You'll now literally never forget those 5 letters.

That was the first thing I thought of at the beginning of this thread.

It was the first consumer NT-based Windows, the first with activation and this key, which let you bypass all that, was out before the OS was officially released.

I laughed out loud when I saw the sponsored domain registrar links down the page advertising “FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8.travel” and other TLDs.

.dev is not taken (yet). I think this might be one of the best uses for a joke .dev domain. :)


It's also got some kinda german meme on it

So apropos

You said you were 15 and it was a very popular software that needed to be installed relatively often.

I guess people on here are 30-ish, so it happened 15 years ago in the 00s. This hints strongly towards WinXP, which has a few famous leaked Serials.

Whatever way you phrased this I feel Sherlock Homes mode is happening here. And the following is tangential to the OPs headline so it may or may not be interesting to HN folk. Last week in my local paper the daily quiz asked what is the common name for "Galanthus nivalis". To my younger self it would have seemed impossible, but now that I am older and more informed (though NOT smarter) I spotted the 'gala' at the start. Hmmm. The word 'galaxy' starts with 'gala'. I remember that galaxy and milky way are somehow related. Milk is white. What flower (given it is Spring here in Northern Europe) could be white (-ish?). Aha, snowdrop! And to me (seriously) I felt utter astonishment that I was right. I am not smart. But this machine that I seem to have could do that. Well, wow to the maker that did that.

It's common enough it's in Urban Dictionary.


I too spent most of my youth re-installing Windows on various machines. :D

I guess Win XP would be one of the world's most pirated software (ever?)

I am also extremely curious! (I did not have this password, but would love to know why it was so common?)

It's the first few sections of product key for one of the original warez scene releases of the windows XP Pro gold master ISO.

Windows XP..

Wow. I remember this key too. It's amazing how far we've come from those days..just think, each open chrome tab takes up as much memory as your entire machine had back then.

That says something just as much about Chrome as it does about "how far we've come"

I was going to guess W7XTC 2YWFB... another semi-well-known key from a slightly earlier era.

Similarly, I was guessing "QW4HD DQCRG"

I've seen the above but for some reason mine was more prevalent in my region. Common enough that even my friends could recite it.

My guess was going to be 09 f9 11 02 9b

dgk7b 9rwyw

bound by the power of cerealz

What's this from? I have definitely seen it before but I can't put my finger on it and a quick search doesn't turn it up like the others on here - VLK for more recent version of Windows perhaps?

I... am not even sure. 2K license most probably.

You're thinking of windows XP

I remember this key. Lol.

We need an XKCD for this!

I've done the same, though I never used it as a password. Back around 2000 or so I was experimenting a lot with hardware configurations and I had input my Windows 98 SE key so many times during reinstalls I ended up memorizing it unintentionally. Even today, nearly 20 years later, I can recall it perfectly. It actually came in handy a couple of years ago when I built a P-III retro gaming machine out of scavenged parts; I found a Windows 98 CD at work collecting dust on a shelf, installed it, and instinctively entered the correct key without missing a character.

Word of warning, if you use an ad/content blocker like uBlock Origin, and block 3rd-party JS, then HIBP may give up on its k-anonymity mechanism and just sends your password to their server in cleartext.

Ensure you specifically permit loading jQuery from cloudflare.com, and check network traffic using a test password first.

I'm still impressed by the number of technical people that are willing to give you their passwords by a way or another, a common way being when they are offered to check if his password has been leaked.

Once a friend shared with me one of those services, he got surprised when I raised my concern about compromising his password, he took a second to check the developer tools to see if there was any request including his password, there wasn't, so he called me crazy (it's well known that malicious sites behave differently on certain conditions, one is having the developer tools opened).

Anyway, I suppose that this blind trust is what makes phishing attacks so effective.

> it's well known that malicious sites behave differently on certain conditions, one is having the developer tools opened

I had always wondered if they do, and I've known it's possible, but this is the first time I've heard any accounts of it. Would you have more info on this?

As someone who has worked on scraping sites that really didn't want to be scraped, there is all kinds of interference with dev tools in the wild.

There are many ways to detect it's open (eg. https://github.com/sindresorhus/devtools-detect) and it's also possible to mess with it without knowing it's open. A method that's wildly used is firing the debugger break command many times a second, along with other stuff that makes using the tools nearly impossible (slows the browser down to a halt)

That script doesn't seem to be able to detect the chrome devtools when they're undocked, so that seems pretty easy to circumvent (who has them docked anyway?). The debugger break thing should be solvable with https://developers.google.com/web/tools/chrome-devtools/java...

Why does this happen?

It seems like a huge oversight to not detect ad blockers and let the user know that their password is being transmitted in plaintext if that's true...

It's not cleartext if you're loading over HTTPS which is enforced on this site.

It's cleartext from the perspective of HIBP's server.

lol, when i was 9 or 10 i memorized 'the big cheat' for turok 64, which i can also recite today -- nthgthdgdcrtdtrk

turns out 204 other people can too! (though apparently not in all caps)

never used it as a password but i can see why one would

"On the eigth day, God created Turok" without vowels :)

Wow! Is this really what the developers meant or is this just a mnemonic that you used?


I memorized my first library card number -- the library would call and leave a message containing the number when a book came in. 1000102772901.

I had to replace the card a few times, but only the first number stuck.

I memorized my 16-digit library card, but on because it was the password required to access library dial-in unix computer system, which allowed some minor read/write access to the disk, but more importantly, unrestricted access to the internet via lynx, which was, for reasons unknown to me at that age, way faster than the AOL browser with image support.

Same thing with my first debit card. All the rest never stuck

Yep. I remember the big eyes of a bank clerk after she asked me to fill in some form regarding my card and I wrote the number without looking at the card.

I remember to have memorized a couple of Windows serials, the reason that the Windows serial was used as a password by thousands of users might be related that some people didn't understood that they needed a new password and just typed the serial thinking that was the required one, or to non-English speakers, they could have misunderstood what was required.

Or just that after spending too many times installing pirated Windows for yourself, your friends and family, the number stuck to their memory. There's a whole spectrum of people between computer professionals like us and the computer-clueless people; some of them know enough to have served as front-line tech support for their family, but not enough to not use what's possibly the widest-known CD-key as a password :).

Being the "techy" kid in a 7 person family meant I was responsible for setting up any new devices on our wifi many many years ago. From the number of phones/consoles/laptops set up on the same WEP key, I have the 26 digit random hex string permanently ingrained in my memory. While I don't use it as a password any more, before password managers I'm pretty sure I had one of if not _the_ most secure banking password at the time.

My bank still has a mandatory fixed 8 numerical digit password, with 3 digit positions asked for login, and "two-factor" SMS confirmation for transfers. Very secure.

(key redacted as I realized they are still selling SC4 Deluxe on Steam. It was your standard 5 groups of 4 alphanumeric key)

When I was a kid I didn't understand why Sim City 4 Deluxe played after install but didn't play when I stuck disk 2 back in and clicked the game. It was my favorite game for a number of years and it wasn't until at least 2 or 3 years in I realized it wanted me to stick disk 1 in for the copyright protection and that disk 2 just worked during install for convenience reasons. I had been uninstalling the game every night before I went to bed (preserving saves!) and reinstalling it every day after school. One day I couldn't find the case with the key (probably got thrown away) and I thought I was going to have to buy it again but when I went to the computer I was able to get it first guess.

Been 15 years now. I suppose I'm never going to forget that key.

Never use a shared secret. Generate your own entropy.

I have an old password I made up back when I was 13 that I still remember. Nothing complicated, and it only used 1,3,5,7, and 9 (four corners of the numpad and the center key). 9 digits length. I made it up because it was easy to key in. I went and checked and was surprised there had been no pwnage.

> for a very popular software

You aren't fooling no one, might as well just say it.

I'm surprised my burner password I use for throwaway sites hasn't been compromised.

Well, now it has since you typed it into a search engine :-)

Same. FCKGW-RHQQ2...

i think you are talking about the most used windows xp product key "QW4HD DQCRG HM64M 6GJRK 8K83T"

I did the same, mine was qqwd7...

You're one in 7.5 million!

This is using the zhuyin keyboard which most likely means Taiwanese users since Taiwan is probably the sole user of the zhuyin keyboard.

Typing that out on a zhuyin keyboard gets you: ㄨㄛˇㄉㄜ˙ㄇㄧˋㄇㄚˇ

In Pinyin that is wo3 de mi4ma3

Or in English "my password"

For the unfamiliar, "ㄨㄛˇㄉㄜ˙ㄇㄧˋㄇㄚˇ" is an example of "bopomofo" script, the phonetic system used to teach kids reading and pronunciation in Taiwan, and adapted to Chinese keyboard input (zhuyin). I learned it in the 1990s studying Mandarin in Taipei. It maps closely to pinyin romanization used in China (i.e., "ㄨㄛˇ" = "wo3" which is the sound in the Mandarin dialect for "我" and potentially other characters with the same pronunciation and tone. "我" means "I" or "me").

I am wondering if it was modeled after Hiragana/Katakana during Taiwan's colonial period?

Zhuyin is indeed inspired/influenced by hiragana/katakana


But it wasn’t created by/for Taiwanese specifically, by that time Taiwan was under Japan’s rule and they were learning Japanese at the schools. Indeed it was imported back into Taiwan when KMT fled there.

PRC then went on its own jounery of inventing its own Romanization scheme for Chinese. They once almost chose Cyrillic alphabet because its ideological alliance with Soviets, but Latin script still won at the end of day, because the scholars were convicned it is more widely used and more useful.

Repulic Of China used to be the government of China duing 1912 to 1949 before moved to Taiwan. It was invented early time of that government. Long time ago in mainland the period was called "before liberation". I had some "before liberation" books with the scripts which was very interesting but seems to be never used in Mainland China after "liberation" as I know.

Actually, Zhuyin was used for a number of years before the Latin Pinyin scheme was finalized in 1958, after which it remained as an alternative for people less familiar with the Latin alphabet. Dictionary and reference books[0] published in the mainland used to include Zhuyin well into the 1980s. The characters used for Zhuyin were actually retained in the earliest simplified Chinese character sets (GB 2312-80) for computer typesetting, however by then very few people are still using them over Pinyin. And indeed it gradually faded from public knowledge from there.


I thought hiragana/katakana come from Chinese character radicals?

Well, yeah they did, but thousands of years before bopomofo script.

Hiragana is at most ~1500 years old.

Many cultures that borrowed Chinese characters developed their own ways of simplifying them. Moreover, Chinese characters themselves are composed of distinct radicals, so it's rather natural to try to decompose them when needed. The radicals are ancient, but they can look very similar to kana in their simple forms. This could be an example of parallel evolution, not one borrowing exclusively from another.

Yes but they still use the radicals in the Chinese characters themselves, so it's odd to say it comes from Katakana/Hiragana.

It does have some resemblance to katakana. The first character at least looks very similar to メ.

It comes from China, was developed in the republican era. It's based on a shorthand modification of seal script - though Japan was very influential on the elite of China at that time so it's possible Katakana played some role.


Most katakana were derived from Chinese characters by taking a part of that character (whereas Hiragana are simplified cursive forms of a whole Chinese character). The メ part is part of many Chinese characters.


Would you please stop posting flamebait to Hacker News? We can accounts that won't.


Ok, but in that case you need to stick to facts and not add swipes like "roll eyes" and "Are doing ignoring what I wrote on purpose?".

Your comment would have been better received without the insult.

You probably don't even realise that comments like the one I replied to are somewhat insulting...

Firstly, that's irrelevant and doesn't make your actions acceptable. Secondly, indirect insults due to ignorance are more forgivable than a direct verbal attack.

I did not insult nor verbally attack anyone. I expressed my mood. I'm sure people here have a thick skin... or not.

Questioning the toughness of fellow commenters belies your effort to engage in good-faith intellectual discussion.

Bopomofo has nothing to do with Taiwan, specifically.

It's a system introduced by the Republic of China, and tha continues to be used in the Republic of China (only Taiwan left these days).

That's because the mainland switched to Pinyin in the 50s.

That being said, Taiwan has now also officially switched to Pinyin so use may increase.


Another interesting, and old, system to write Mandarin using the Arabic alphabet: Xiao'erjing: https://en.wikipedia.org/wiki/Xiao%27erjing

Edit 2:

Bopomofo is in the same line as Hiragana/Katakana/Korean system: It simplifies and make things phonetic but still creates a brand new characters set inspired by Chinese characters.

With Pinyin, to me the main development was to integrate that there was already an ubiquitous alphabet in existence, the latin alphabet, that could be used and save the trouble of yet another writing system.

A bit like what happened in Vietnam (though obviously that's because a Frenchman came up with the system).

For what it's worth, there is also a Sinitic language fairly close to Mandarin that's written in Cyrillic characters, Dungan (which, incidentally, sort of refutes the notion that one can only write Chinese languages with Chinese characters).



As a resident here, I know for a fact that Taiwan did not replace bopomofo with pinyin.

You see bopomofu is to denote pronunciation not to romanticize characters. If you are talking about how location/street names are spelled, some form of pinyin (literally means spelling) had always been used for romanticization.

Bopomofo is still taught in taiwan and zhuyin is still used for typing. The only thing changed is signs now use pinyin....

It's a start...

Well they don't change the signs in Tainan or Taipei, only exists in 1 or 2 county's.

Hopefully they don't switch to pinyin, and I especially hope they don't switch to Simplified.

It had always been some form of romanticization for street names. Pronunciation has always been bopomofo.


Wikipedia says it was created under the Beiyang Government so no. Also bopomofo is an alphabet (seperate characters for consonants and vowels) where as katakana/hiragana are syllabaries

However all three systems are derived from regular Chinese script. Hiragana is derived from cursive Chinese script, Katakana from radicals used as shorthand for certain characters, and Bopomofo from archaic forms of modern characters.

It's not an alphabet, it's a semi-syllabary (and that's written on the page you linked). There is no separate characters for consonants and vowels but instead a separation between consonants and rhymes. Rhymes can be made of one or multiples vowels, and can be terminated by a consonant (/n/, /ŋ/).

I see this same explanation on the Twitter thread, which is great.

However, I am concerned at how the OP got the string in the first place, that he compared to HaveIBeenPwned? Is he storing his user's passwords in plain text in his back end database, and decided to run them all against the service?? That in and of itself is a security red flag.

I am reading this as OP looking at password breach databases (which are, by definition, public and plaintext already), not OP running a service with password registration themselves.

Lists of common passwords compiled from previous data breaches are readily available online.

Tried "e04su3su;6", and there are 71 ones!

This is a rude phrase that probably most Taiwanese understand.

Care to enlighten those of us who are not?

幹你娘. Motherfucker, (lit. "fuck your mom")

Just for etymology correctness, "姦爾娘" would be better than "幹你娘".

There is a lot of detail in those characters. Do you use larger a font size for this script?

I tend to browse HN at 130% zoom, Chinese characters render quite well at that zoom too. Even for English the text size here is rather small though. You don't need to see all the details to recognize words made from Chinese characters though, context (neighbouring characters) and general knowledge of the common characters help fill in the blanks.

This is part of the reason why much larger phones are currently in fashion, and why in Asian countries you'll see people walking around with their phone about a foot in front of their face. It was a real revelation to me when it finally clicked. :)

Size 14 is usually good enough for me, 9~12 are readable/acceptable, and 16+ are comfortable.

Native English speaker here, I still browse HN at 150% zoom because I use displays with a high DPI (Macbook pro retina 15" and the Dell U25 and U27 series screens).

It's just more comfortable that way.

If you're interested in learning Chinese, and want to see the bopomofo/pinyin/literal/parallel translations, please check out Pingtype! I wrote it to help me study. Click Advanced > ㄅㄆㄇㄈ if you want the Zhuyin.


Was lurking profiles of the Taiwanese crowd on HN. How is it to work as a Software engineer in Kaoshuing?

I left in August last year and am now in New Zealand. I wrote control systems software at a factory making USB, SD, microSD cards - so many good memories. Email me if you'd like to chat about it more!

"So many good memories" - ha ha!

Good wear levelling :)

I'm a scientist. Information theory always felt curious to me because it adopted terminology and concepts similar to that from statistical mechanics but in practice was always much more difficult due to what could be considered what was "random" vs. what was non-random. After sitting back and thinking about it, what is considered "random" of course is a statement of the probability distribution for the set under consideration. For info theory, that set is some set of strings (say passwords) which is really culturally and historically contigent, while in physics land, the set is microstates that determine macrostates, for which the degeneracy of a macrostate depends on the hamiltonian, full stop. I think mathematically, of course the statements you make are similar (hence why you apply the same prob theory to both) but the systems I study are comparatively easier, while really, the underlying probability distribution for strings is really hard to know in practice because it essentially depends on human history and culture up to that point. For example, in a universe without English, English words (say one-to-oned to a discrete set, so strings of positive integers less than 26 + 10 (including decimal numbers)) would be random. In fact, a universe without that particular Chinese IME, if it was done somewhat differently, then ji32k7au4a83 could be random.

It's just interesting to me, another reminder that physics is just that much more easier than anything else.

Hold up. In my physics classes, no one ever gave me a straight answer on what constituted a "macrostate". It always sounded arbitrary for similar reasons to the ones you describe for language. Are you telling me it's literally defined by the energy of the system (the Hamiltonian, right?) alone?

The degeneracy of a macrostate is just a matter of the Hamiltonian but what counts as a macrostate is, in a sense, arbitrary.

It's really just a state you, the observer, can distinguish. This would typically involve things like pressure, volume, and temperature but if you developed a new way of measuring the properties of a system suddenly the possible macrostates multiply in number, each contains fewer microstates, and the entropy of the state decreases. Take this far enough and you could create a Maxwell's Demon to extract energy from thermal motion. But while it's subjective in some sense it was later shown that our subjective knowledge of the world is limited by the laws of physics in other ways and perfect subjective knowledge is impossible.

So you could say that entropy is a measure of your ignorance about the exact state of the world, which corresponds nicely to the information theory definition. It's just that in physics everyone is in practice going to be using the same pressure, temperature, and volume measurements while in information theory what constitutes a macrostate is very fuzzy.

A macrostate is any particular probability distribution of microstates. Usually these are picked to reproduce some macroscopic observable, such as temperature, pressure, volume, magnetisation, etc.

Not sure about physics terms, but in combinatorics I believe that an example of macrostate (also called an 'event') would be "2 coins out of 3 landed heads" and the possible microstates (also called 'outcomes') would be THH, HTH, or HHT.

> It's just interesting to me, another reminder that physics is just that much more easier than anything else.

Such a statemenrs make me nervous.

In the late XIX century physics professors told their students that they should stop learning physics and go to some other science, because physics is almost complete. It explains almost everything there are some small issues with electromagnetism which will be solved in a few decades and there would be no more work for physicists. No more physics as a science, just engineering.

At that time physics seemed much more easier than anything else. Like it seems now for you, I suppose.

Though maybe there would be no more Einsteins, and physics really explained almost everything for this time.

No, the point is that in physics you isolate systems and get rid of all the messy stuff.

Compare particle physics to cell biology, for example. Of course the first has complicated math and a lot of ressources thrown at it, but in essence these isolate the thing to measure. How would you even do that with cells?

A vacuum or laser lab may be complicated or finicky and capricious to work with, but it is nothing compared to a bio lab and the influences on the organisms you try to study.

At least bosons don't react differently when you look at them funny or with the time of day (we assume). (addendum: Like lab mice that change massively depending on the handlers.)

I take "random" just being a description of the predictor, that they lack sufficient information to make a determinate prediction.

ie., I take probability to be only an epistemic description of confidence given information. And therefore randomness just a lack.

A physical system may be "ontologically random" in the sense that there is no info its possible to obtain to make a determinate prediction -- but that isn't randomness (which is epistemic).

That's "physical informationlessness" which is an (alleged) feature of a physical system that leads to n "inevitable randomness" in our predictions of it.

From the linked Twitter thread: It's the Chinese equivalent of "password": 我的密码

Password would be 密码. 我的密码 is "my password".

In China they just use pinyin, so I was baffled as to how ji32k7au4a83 could represent 我的密码. Turns out it's the keys you press if you have Taiwanese input.

After a brief Googling, a lot of Taiwanese websites are encouraging users to come up with password by typing Zhuyin in English, and specifically giving "ji32k7au4a83" (my password) as an example. So this may explains why a lot of people actually followed the advice to the word.

Interesting, so it's a Taiwanese correct horse battery staple, basically.

It's a bit sad to see how people in a position to formulate password suggestions on a register form can fail so hard at realizing that a uniform transformation of a dictionary word will still be prone to dictionary attacks.

Searching a little (it's easy because it's unique) and then automatically translating 2014 article titled:

"How to set up a safe and easy to remember password"



"4. Using Chinese input method:

For example, the phonetic input method of the four" (I guess in Chinese, op. acqq) "words "My Password" is the combination of "ji32k7au4a83"."

Sure, safe. Just for you and everybody who read that. No problem at all.

And some user of some gaming(?) site used it for his username:


Here's the entire translated version

Using the above principles, how can we design a good password?

Tip 1: Replace characters with ones that sound the same

For example, you can replace the letter e in succeed with the number 1 {note this sounds the same in Mandarin}, so that it becomes succ11d, which is easy to remember and combines numbers and letters.

Tip 2: Replace characters with ones that look the same

For example, you can replace the o in dog with 0 and it becomes d0g. It mixes letters and numbers.

Tip 3: fill with special symbols

For example, the above password d0g is not long enough, so you can add special symbols at the end, e.g. d0g!(!(!(!(!(!(, it will be easy to remember, but hackers will need 12,340 centuries to crack it.

Tip 4: Using Chinese input method

For example, the phonetic input method of the four words "My Password" is the combination of "ji32k7au4a83". At first glance, it is a random combination, but it is meaningful.

Pretty hilarious all around, anyone checked if d0g!(!(!(!(!(!( is in the database too?

>Pretty hilarious all around, anyone checked if d0g!(!(!(!(!(!( is in the database too?

I just checked and... looks like it's not been seen by HIBP:

>Good news — no pwnage found!

>This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned. That doesn't necessarily mean it's a good password, merely that it's not indexed on this site. If you're not already using a password manager, go and download 1Password and change all your passwords to be strong and unique.

The hilarious part is these are used as examples to illustrate an algorithm, not to suggest you use them as actual secrets.

No, the algorithms are bad as well. Transformed dictionary is hardly any better than dictionary if the transformation isn't unique.

All those annoying rules about required character classes are mainly there to prevent dictionary attacks, but "s3cr3t" is not much of an improvement over "secret" ("s4cr5t" would, because it's not the result of a popular transformation).

Not much of an improvement, but never worse -- unless the function is not injective. You can't argue with Kolmogorov complexity. If the algorithm is secret and has computational complexity it gets better.

Sure, but we are talking about trivial substitution schemes here. I could have been more specific.

That follow-up tweet freaks me out. What does that have to do with anything, really. I think it's rather unprofessional and would prefer people not make self-congratulatory statements about their personal beliefs.

It's a part of Twitter culture. If you are an unknown person and one of your tweets suddenly goes viral, you get to post a follow-up tweet promoting yourself or whatever you want. This person apparently cares about trans rights.

I think it started in "black twitter". People would post jokes and it one of them took off they'd post a link to their SoundCloud page asking people to check out their "mixtape". Others started joking that they don't have a SoundCloud, but check out my book/art/Ruby package/craft beer.

It's actually good to promote the rights of oppressed people, and it's also highly suspect when other people pretend it's inappropriate to do so purely on grounds of stuffiness. It makes it seem like you either aren't familiar with what you're opining about at all, or you just don't care.

How condescending and moral relativistic of you to say that there is a wrong time and place to assert what is and is not a human right, that there is no unselfish reason to do so, and that human rights are merely a matter of individual preference.

How are trans people excluded from human rights, again? I seem to have missed that part in my source [0], because that should certainly be covered most formidably by article 3, "Everyone has the right to life, liberty and security of person".

[0] http://www.un.org/en/universal-declaration-human-rights/inde...

Rights that aren't asserted are not likely to be respected. Yes, of course these rights apply to everyone, but the laws and policies being enacted aren't taking those rights away from everyone, they're taking them away from trans people. If there were laws passed to do things like prevent cisgender men and women from using anything other than unisex bathrooms, it wouldn't make much sense to rally support for trans rights, would it? But that's not what's happening, what's happening is an infringement against trans people, specifically. Would it make much sense for firefighters to ignore individual fires and only put fires out when everything was on fire?

> Rights that aren't asserted are not likely to be respected.

I don't see that happening at all. I find this whole activism trope a dangerous game, they indoctrinate each other with a mindest to disregard empirical data and disrespecting authorities put in place by governments.

> do things like prevent cisgender men and women from using anything other than unisex bathrooms

I'm pretty convinced that where I live you can use whichever bathroom you like, while dressing like the unicorn you are. I'll still be using a urinal, though, because I don't want to make a mess for people, cis or not cis, that need to use the bathroom for more serious business.

> infringement against trans people, specifically

I condemn violence, especially against one-legged single-parent dwarves. They deserve better and you damn well know it.

you are a bigot in denial. have fun being hateful!

Most of twitter seems to be self-congratulatory posts about users' beliefs

Let this thread be a reminder for everyone to use a password manager.

I'm willing to bet that a major upcoming security disaster is a compromised password manager that leaks out tens of millions of accounts and passwords in nicely structured XML that's perfect for automated attacks and frauds.

Yes, I use a password manager too, but an ancient one that has no Internet connection, no syncing, and no cloud storage.

The only "modern" password manager I've been able to find that works completely offline and is open source is KeePass -- so long as you don't install any of its plugins that open it up to Internet access.

What I do is use a password manager, but when it enters a password into an app or site, I type a few more characters after the end of it before logging in.

Kind of a secondary master password that's not stored anywhere except my memory and my safe.

Best of both worlds in my opinion.

This is awesome! (I think). I've never used a password manager, because I was afraid one breach there is worse than many breaches everywhere else. But, I am curious, if I use a complex formula in my mind to create passwords that are unique to every website I visit, and I store those in Chrome am I not safe? The only problem I see is that I do not update passwords regularly.

If that database in the browser ends up somewhere it should not, a curious attacker will have a nice list of examples to figure out the formula. I share your vulnerability and "password manager + brain-stored component" has been my unexecuted upgrade plan for many years.

That's really clever.

Well, I use pwgen and gpg ┐(´ー`)┌

A great thing about password managers is that you can change your passwords more often since you don't have to bother coming up with and remembering new passwords. It can even be somewhat automated with pass-rotate: https://github.com/ddevault/pass-rotate

I wrote a `pass` plugin [1] that works similarly to xkcdpass — but integrates it into a password manager. Makes usage far easier!

1: https://github.com/pinusc/pass-diceware

I use https://pwsafe.org/ (or a few other file-format compatible apps on different platforms) and keep my password file (still with its own passphrase) in a keybase ( https://keybase.io/ ) private filesystem. Keybase's filesystem does a dropbox-style thing to take care of sync, and pwsafe doesn't need to know anything about the internet.

Keepass is amazing. I use Keepass2Android to keep a local file in my cellphone, and occasionally back up the encrypted file to my Google Drive.

> a password manager that leaks out tens of millions of accounts and passwords

While I agree that this would be a security disaster, its not a whole lot different then someone using the same credentials for all their accounts. Also, one of the great benefits of a password manager is that they remove a very high mental cost of passwords. Before I used a password manager, although I knew it was good practice to change passwords, I wasn't willing to invest that effort into it. The cost of good random passwords was too high. Today, if my password manager was hacked, it would suck going through all my accounts and changing all the passwords - it would take a lot of physical time, but there would be no long-term fallout and mental effort involved for me. I'm not attached to those passwords - I don't even know them.

Yeah IMO the only "good" passwords are those hard to remember even by yourself.

Personally most non-trivial passwords of mine were generated by 'pass'.

As someone who speaks 4 languages, my passwords are always a combination of words from different languages together. I am wary of trusting a software with my password generation.

I just keep the RandomKeyGen [0] site on the top of my bookmarks, and whenever I need to set a password for a newly spun up server, or SQL DBA admin password etc., I just pick a random one from there.

Advantage over a password manager? - sometimes I have to document what the password is in offline technical notes or a password vault for the customer, and doing it this way lets me kill two birds with one stone.

[0] - https://randomkeygen.com/

Mine is https://mostsecure.pw/ (please note this is a joke)

I'm amazed that this has been seen 0 times on HaveIBeenPwned[1]. It must be so secure that sites you use it on can't even be hacked.

[1] https://haveibeenpwned.com/Passwords

Better to use the `pwgen` command for that. There's no guarantee the passwords from that site are really random / not being stored.

True, but that site doesn't just give you one option, but dozens, from which I can randomly choose one. I normally change one or two characters from the ones listed anyhow, just in the unlikely event they are somehow using a fixed list which they are randomly choosing from.

I tend to use `gpw` because while it has less entropy per character I can easily memorize a much longer password if its pronounceable.

My ~/bin/makepass file:

    #! /bin/bash
    cat /dev/urandom | base64 --wrap ${1:-"10"} | head -n 1
Defaults to 10 character passwords, but you can put bigger numbers as the first argument. I don't think the `base64` command is on the Mac, so probably won't work there.

How about:

tr -dc '[:print:]' < /dev/urandom | head -c 20

Is there a similar site that makes memorable passwords but long? (basically I get entropy and can remember if needed). I use keepasaxc which doesn't have this.

Try https://www.rempe.us/diceware/

Disclaimer: I don't know much about this site and don't have any trust relationship with it. Have a read of the FAQ on the page and verify for yourself.

KeepassXC has an xkcd-style[0] generator where the password will just be e.g. "correct horse battery staple". I usually use these for mobile apps, although I don't try to actually remember them, so not sure how easy it is.

[0] https://xkcd.com/936/

I really enjoy using https://makemeapassword.ligos.net for xkcd-style passwords because the sentences you get are a lot easier to write as they sort of follow the natural syntax of English, yet are still completely nonsense. My single gripe with 1Passwords generator is that it just picks words at random, losing the cadence and flow of language.

I've always used the "password assistant" built-in to macOS's keychain when I need to generate passwords.

Why do you say this is an advantage over a password manager? You can store notes along password entries.

Not as easy to hand over to the customer at the end of a project though. We either manually enter the passwords in a digital vault under their control, or hand over a printed paper dossier with the access codes in it for them to do what they wish with them.

Nice try, NSA

Speaking of good passwords, I wrote a passphrase generator once that I still use to this day. You can have a copy of it if you’d like. The README explains all there is to know about it but feel free to ask any questions anyone might have.


One of the password generation tools -- so long ago I forget which one, but probably 1Password -- generated a password for me, and I loved the scheme it used. I still use a variety of it but now I make them up myself. The rules:

1. Make up a short nonsense word (so it's pronounceable).

2. Pick 3 numbers.

3. Make up another short nonsense word.

4. Concat them with hyphens, capitalising the first letter.

So let's go with...

The benefits:

1. Heaps 'o entropy. Need more? Just make longer words.

2. Crucially: really easy to type on an iOS keyboard. You often start with caps on by default, and the dash-number-dash sequence in the middle only requires one use of the symbol shift key.

3. And, of course, fairly memorable.

I still use 1Password and the vast majority of my passwords are 16 characters of truly random nonsense, but for those times that you want a memorable password that you'll actually type quite a bit, this is gold.


And now I await the inevitable teardown of this method ... what did I miss? :-)

An attacker that knows your algorithm can restrict the search space to only sequences that follow the algorithm.

That's why when I describe my password generation scheme - which is kind of similar - I never pinpoint it. Oh, and I don't necessarily stick to it as long as the result is a good password ;-)

But yes, entropy is lost if you decide it has to be pronounceable. On the other hand pronounceable is in the eye of the beholder and a it allows me to memorize long sequences of nonsense (up to the point where it gets annoying to type for someone who consequently lock his computer every time.)

For everyone who are just starting to think of this here are some more tips:

- Do store passwords in a password manager! The only reason to memorize passwords is because you need the password for your password manager and your OS and certain other things available even if you aren't logged in to your password manager.

- Use real two factor auth whenever possible. Please be aware though that just adding "sms something" doesn't necessarily make things more secure. A common (AFAIK, and sadly) mistake seems to be to use SMS for both password reset and for the second factor. In this case whoever gets access to you phone for just a moment can reset your password and immediately get a "2-factor" login code as well. (Scare quotes because this isn't 2-factor since one only needs access to one thing, the phone, to get access in this case.)

- Some people will say that using SMS at all is hopeless, but from what I can see they can still make sense in a number of cases: not everyone has targetet attacks from three letter agencies (domestic or foreign) as part of their threat model. More people have - or should have - a point about losing access to login information as part of their threat model I guess.

Diceware is a good method using actual dice.

in Taiwanese, sometimes we "encode" message by pretending typing bopomofo https://en.wikipedia.org/wiki/Bopomofo while input method is english just like here "My password" => "我的密碼" => "ji32k71u4a83"

I can imagine the cold sweat of reading this title when that is actually your password

I'm curious to know if this is right. If you use the zhuyin keyboard method, wouldn't you just remember your password in Taiwanese, and not even recognise the version in Roman characters?

Am I the only person that thinks it’s weird that we encourage using unique passwords everywhere, but the second piece of information needed to login (username, email etc) we tend to keep the same for everything?

I posted a Show HN last night for a side project I’ve built that can solve the email part of this: https://news.ycombinator.com/item?id=19296936

I did a cheap version of this where I didn't have to build anything but I could test out the concept because I thought it would be awesome and I thought I wanted it.

Long story short it became problematic pretty quickly and I ditched it. You need to also be able to reply as that email address too etc. It's been done a bunch a times I understand.

For my custom domain I set up a catch-all so *@sharparam.com gets routed to my main address. If I end up needing to reply from such an address I set up a proper alias for it (currently I use GSuite to manage it).

Another alternative if you don’t have your own domain is to put a plus in the email address. The mail server will ignore anything after that plus, eg johnsmith+facebooklogin@gmail.com will have all email sent to johnsmith@gmail.com, but it will preserve the To header in the email.

This is useful for detecting the origin of spam, however it’s trivial for a spammer or hacker to workaround (just strip the plus and anything after it before sending)

> It's been done a bunch a times I understand.

Got any links to these services?

And, sadly, the more users use it the more chance that the big players start to ban such addresses.

It actually happened with the anti-spam services I‘ve used, twice.

Some sites are throwaway (example: they force a sign-up). Don't assume all weak passwords used are not conscious decisions. Entropy is too precious to give up to throwaway sites of uncertain backend security.

What do mean by giving up entropy? Password reuse? You can use a password manager to generate a secure pass for every site, there's no excuse for weak passwords.

Here's a few I made with `pwgen`, get it while it's hot:


I'd like to try out #3. "zah" has a nice ring to it. Do you guys minding not using it?

It's yours :)

The word "password" suffices for a lot of those.

You can find lots of examples of throwaway passwords with associated accounts (and submit your own) at bugmenot.com

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact