57 votes

Why 'ji32k7au4a83' is a remarkably common password

11 comments

  1. Guyon
    Link
    Related HN Discussion The discussion surrounding why fckgwrhqq2 is such a popular password is about as good as the story behind ji32k7au4a83.

    Related HN Discussion

    The discussion surrounding why fckgwrhqq2 is such a popular password is about as good as the story behind ji32k7au4a83.

    21 votes
  2. [7]
    Comment deleted by author
    Link
    1. [6]
      teaearlgraycold
      (edited )
      Link Parent
      I do something like: sentence = "A full commitment is what Im thinking of" password = "" for word in sentence.words(): syllables = word.syllables() password += syllables[0][0].toLower() for...

      I do something like:

      sentence = "A full commitment is what Im thinking of"
      
      password = ""
      
      for word in sentence.words():
          syllables = word.syllables()
      
          password += syllables[0][0].toLower()
      
          for syllable in syllables[1:]:
              password += syllable[0].toUpper()
      
      password  # "afcMMiwitKo"
      

      But also replacing syllables like "one" and "for" with 1 or 4.

      8 votes
      1. [3]
        Emerald_Knight
        Link Parent
        Interesting code. My understanding is that you use the first letter of every syllable in your sentence, where the first letter of the first syllable in a word is always lower case and the first...

        Interesting code. My understanding is that you use the first letter of every syllable in your sentence, where the first letter of the first syllable in a word is always lower case and the first letter of every syllable thereafter in that word is uppercase. Is that an accurate assessment?

        In any case, it's certainly an interesting password generation scheme. If you use a sentence that isn't common, particularly one that only holds significance to you, and ensure that there are enough syllables to produce a password of sufficient length, it should be about as good as a passphrase. If you pepper the sentence or interleave two sentences together, then even a common sentence shouldn't be problematic.

        Great way to generate a sufficiently secure master password for a password manager as long as you keep the complexity high enough. Even barring that, you should be using 2FA for a password manager, anyway, so even a slight modification to your existing code snippet to include numbers and other special characters would probably be more than enough for the vast majority of users :)

        5 votes
        1. [2]
          teaearlgraycold
          Link Parent
          I'm 2FA on everything that supports it. I use andOTP on my phone which supports encrypted backups that I store online.

          I'm 2FA on everything that supports it. I use andOTP on my phone which supports encrypted backups that I store online.

          2 votes
          1. Emerald_Knight
            Link Parent
            Sounds like this is plenty for you, then. Great idea all around :)

            Sounds like this is plenty for you, then. Great idea all around :)

            1 vote
      2. [2]
        Archimedes
        Link Parent
        If you can remember a whole sentence, then just use that. It will be stronger than the shortened version. Obligatory XKCD: https://xkcd.com/936/

        If you can remember a whole sentence, then just use that. It will be stronger than the shortened version.

        Obligatory XKCD:
        https://xkcd.com/936/

        4 votes
        1. teaearlgraycold
          Link Parent
          Sometimes I do that too. Some of these passwords get entered many times throughout each day and benefit from brevity.

          Sometimes I do that too. Some of these passwords get entered many times throughout each day and benefit from brevity.

          3 votes
  3. [4]
    balooga
    Link
    I love the discussion of personal password generation policies, and I've certainly used my share of arcane-but-memorable-to-me gibberish over the years. But the fact of the matter is, it's time to...

    I love the discussion of personal password generation policies, and I've certainly used my share of arcane-but-memorable-to-me gibberish over the years. But the fact of the matter is, it's time to move on. This is 2019. Everyone should be using secure password managers and high-entropy, machine-generated random passwords that are unique for every site now. It's not hard, it's not expensive, and I really can't think of any good reasons not to.

    10 votes
    1. [3]
      Wes
      Link Parent
      Though memory techniques are still useful for your master password.

      Though memory techniques are still useful for your master password.

      6 votes
      1. aphoenix
        Link Parent
        That's the crux of it. At some level, somewhere, you have to remember a password. If your LastPass password is "mypassword" then all your passwords are "mypassword", so the side discussions of...

        That's the crux of it. At some level, somewhere, you have to remember a password. If your LastPass password is "mypassword" then all your passwords are "mypassword", so the side discussions of making memorable passwords is still an important one.

        1 vote
      2. Maven
        Link Parent
        I use a chunk of computer code for my master password. Impossible to forget, checks all the boxes (caps, special chars, etc) and it's 27 characters long so good luck brute forcing it.

        I use a chunk of computer code for my master password. Impossible to forget, checks all the boxes (caps, special chars, etc) and it's 27 characters long so good luck brute forcing it.