57 votes

Why 'ji32k7au4a83' Is a Remarkably Common Password

12 comments

  1. Guyon Link
    Related HN Discussion The discussion surrounding why fckgwrhqq2 is such a popular password is about as good as the story behind ji32k7au4a83.

    Related HN Discussion

    The discussion surrounding why fckgwrhqq2 is such a popular password is about as good as the story behind ji32k7au4a83.

    21 votes
  2. [7]
    MrGrey Link
    Many years ago in the dark ages of IT, I knew an admin who was a bit of a control freak. He set up all the passwords for almost any shared system and they were always what seemed to be 'strong'...

    Many years ago in the dark ages of IT, I knew an admin who was a bit of a control freak. He set up all the passwords for almost any shared system and they were always what seemed to be 'strong' passwords that were difficult for anyone to remember. He would write them down on paper most of the time and hand them out, but would routinely be able to reproduce them. He only required you to tell him when it was created without needing a reference of any kind. Making a long story somewhat less long, he had a very unique keyboard (not qwerty/dvorak/or any other system that I was never able to identify) attached to his personal admin terminal. From that he used a handful of specific patterns on the keyboard, shifting the pattern relative to the date he set the password.

    16 votes
    1. [6]
      teaearlgraycold (edited ) Link Parent
      I do something like: sentence = "A full commitment is what Im thinking of" password = "" for word in sentence.words(): syllables = word.syllables() password += syllables[0][0].toLower() for...

      I do something like:

      sentence = "A full commitment is what Im thinking of"
      
      password = ""
      
      for word in sentence.words():
          syllables = word.syllables()
      
          password += syllables[0][0].toLower()
      
          for syllable in syllables[1:]:
              password += syllable[0].toUpper()
      
      password  # "afcMMiwitKo"
      

      But also replacing syllables like "one" and "for" with 1 or 4.

      8 votes
      1. [3]
        Emerald_Knight Link Parent
        Interesting code. My understanding is that you use the first letter of every syllable in your sentence, where the first letter of the first syllable in a word is always lower case and the first...

        Interesting code. My understanding is that you use the first letter of every syllable in your sentence, where the first letter of the first syllable in a word is always lower case and the first letter of every syllable thereafter in that word is uppercase. Is that an accurate assessment?

        In any case, it's certainly an interesting password generation scheme. If you use a sentence that isn't common, particularly one that only holds significance to you, and ensure that there are enough syllables to produce a password of sufficient length, it should be about as good as a passphrase. If you pepper the sentence or interleave two sentences together, then even a common sentence shouldn't be problematic.

        Great way to generate a sufficiently secure master password for a password manager as long as you keep the complexity high enough. Even barring that, you should be using 2FA for a password manager, anyway, so even a slight modification to your existing code snippet to include numbers and other special characters would probably be more than enough for the vast majority of users :)

        5 votes
        1. [2]
          teaearlgraycold Link Parent
          I'm 2FA on everything that supports it. I use andOTP on my phone which supports encrypted backups that I store online.

          I'm 2FA on everything that supports it. I use andOTP on my phone which supports encrypted backups that I store online.

          2 votes
          1. Emerald_Knight Link Parent
            Sounds like this is plenty for you, then. Great idea all around :)

            Sounds like this is plenty for you, then. Great idea all around :)

            1 vote
      2. [2]
        Archimedes Link Parent
        If you can remember a whole sentence, then just use that. It will be stronger than the shortened version. Obligatory XKCD: https://xkcd.com/936/

        If you can remember a whole sentence, then just use that. It will be stronger than the shortened version.

        Obligatory XKCD:
        https://xkcd.com/936/

        4 votes
        1. teaearlgraycold Link Parent
          Sometimes I do that too. Some of these passwords get entered many times throughout each day and benefit from brevity.

          Sometimes I do that too. Some of these passwords get entered many times throughout each day and benefit from brevity.

          3 votes
  3. [4]
    balooga Link
    I love the discussion of personal password generation policies, and I've certainly used my share of arcane-but-memorable-to-me gibberish over the years. But the fact of the matter is, it's time to...

    I love the discussion of personal password generation policies, and I've certainly used my share of arcane-but-memorable-to-me gibberish over the years. But the fact of the matter is, it's time to move on. This is 2019. Everyone should be using secure password managers and high-entropy, machine-generated random passwords that are unique for every site now. It's not hard, it's not expensive, and I really can't think of any good reasons not to.

    10 votes
    1. [3]
      Wes Link Parent
      Though memory techniques are still useful for your master password.

      Though memory techniques are still useful for your master password.

      6 votes
      1. aphoenix Link Parent
        That's the crux of it. At some level, somewhere, you have to remember a password. If your LastPass password is "mypassword" then all your passwords are "mypassword", so the side discussions of...

        That's the crux of it. At some level, somewhere, you have to remember a password. If your LastPass password is "mypassword" then all your passwords are "mypassword", so the side discussions of making memorable passwords is still an important one.

        2 votes
      2. Maven Link Parent
        I use a chunk of computer code for my master password. Impossible to forget, checks all the boxes (caps, special chars, etc) and it's 27 characters long so good luck brute forcing it.

        I use a chunk of computer code for my master password. Impossible to forget, checks all the boxes (caps, special chars, etc) and it's 27 characters long so good luck brute forcing it.