SoylentNews is people
SoylentNews
from the deep-seated-insecurities-and-paranoia dept.
Why 'ji32k7au4a83' Is a Remarkably Common Password
For too many people, moving the digits around in some variation of Patriots69Lover is their idea of a strong password. So you might expect something complicated like” “ji32k7au4a83” would be a great password. But according to the data breach repository Have I Been Pwned (HIBP), it shows up more often than one might expect.
This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by HIBP over a hundred times.
Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, “ji32k7au4a83" has been seen by HIBP in 141 breaches.
Several of Ou’s followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it’s showing up fairly often in a data breach repository is because “ji32k7au4a83" translates to English as “my password.”
Related: The password “ji32k7au4a83” has been seen over a hundred times, and the password "ji32k7au4a83" looks like it'd be decently secure, right?
Now if only there were one super secure password everyone could use so we would all be safe.
[There is! But it would require over 55 hours (at 5 characters per second) to type it in. --Ed.]
(Score: 0) by Anonymous Coward on Wednesday March 06 2019, @03:40PM
I'm going anon to take the 5th and protect myself from self-stupidity-incrimination.
I need to figure out this whole "bits of entropy" thing. To my mind the Tr0ub4dor&3 password is 11 characters and I have to try all 11 characters in random combinations to eventually stumble on it. (If I know the target system requires a special character and a caps and a number then I know that all attempts must have at least one of each, reducing the total load I must try... I think I get that. Yet there's nothing saying that I can't have two of those characters be special characters - I'm not limited to just one character as whatever. My load is less than all characters.) But if I know the target system has no requirements, why would I not assume that all passwords would be common words first? (Or just a date)? Because it is human nature to not add in unnecessary complications. In which case running a simple combinative dictionary attack will result in success after I reach a level of using 4 common words and it comes upon that permutation. (In fact I'd start instead with names, looking for the person whose password is FIRSTKIDSECONDKID). So is 4 random words in a dictionary of say 100,000 words actually less combinations than 11 random characters? Or is it that for the first example I'm assuming it is one word with leetspeak variation, one number, and one special character that brings it lower than four random dictionary words?
As I said, I need to study this more and know that. I'm sure the facts are correct, just don't have a solid enough grasp on them yet.