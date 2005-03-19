from the deep-seated-insecurities-and-paranoia dept.
Why 'ji32k7au4a83' Is a Remarkably Common Password
For too many people, moving the digits around in some variation of Patriots69Lover is their idea of a strong password. So you might expect something complicated like” “ji32k7au4a83” would be a great password. But according to the data breach repository Have I Been Pwned (HIBP), it shows up more often than one might expect.
This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by HIBP over a hundred times.
Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, “ji32k7au4a83" has been seen by HIBP in 141 breaches.
Several of Ou’s followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it’s showing up fairly often in a data breach repository is because “ji32k7au4a83" translates to English as “my password.”
(Score: 0) by Anonymous Coward on Wednesday March 06, @02:08AM
The most secure password is the one that can never be stolen.
(Score: 2) by Mykl on Wednesday March 06, @02:10AM
Oblig XKCD: https://xkcd.com/936/ [xkcd.com]
(Score: 0) by Anonymous Coward on Wednesday March 06, @02:25AM (1 child)
Unreadable password doesn't necessarily mean it's secure.
Most hacking attempt aren't done by some dude typing around and hoping it works, there's tools that either go by dictionary or the long way by brute forcing.
The only way you want to secure a box would be (mix-match):
- Not connected to network
- Remove remote login
- Login via key
- Use uncommon username (also just remove remote login for root, really)
- Limit attempts with fail2ban
So even if someone try to bruteforce/dictionary attack, you can guesstimate the amount of time needed to find a password when limiting attempts.
A 50+ years timeframe until broken should be reasonable IMO.
(Score: 2) by Arik on Wednesday March 06, @02:39AM
Many of the current attacks are correlating the password from a similar username at a different domain. One of the many whose password databases have been exfiltrated over the past decade or two. People that are still using the same password they set up 20 years ago for their yahoo account for everything get pwned pretty brutally.
There's also, I believe, a new form of brute force - where the prior database is mined for common password elements without regard to username. So all the common strings that many people independently thought were clever get pushed to the top of the list.
"The *other* sort of Marxist."