Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why 'ji32k7au4a83' is a Remarkably Common Password (gizmodo.com)

Posted by msmash on from the closer-look dept.

A seemingly complex set of characters like "ji32k7au4a83" is a very common password among users, it turns out. From a report: This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by Have I Been Pwned (HIBP) over a hundred times.

Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, "ji32k7au4a83" has been seen by HIBP in 141 breaches. Several of Ou's followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it's showing up fairly often in a data breach repository is because "ji32k7au4a83" translates to English as "my password."

101 comments

  1. Damn! by Patent+Lover · · Score: 4, Funny

    I have the same combination on my luggage!

  2. More evidence... by Anonymous Coward · · Score: 0

    because "ji32k7au4a83" translates to English as "my password."

    There are no rules in China.

  3. How do you say hunter2 in Mandarin? by Anonymous Coward · · Score: 0

    ******

    (I wish /. would allow me to show unicode, but all it does is showing stars)

    1. Re:How do you say hunter2 in Mandarin? by Anonymous Coward · · Score: 0

      I figured somebody would give that gag a bash

    2. Re: How do you say hunter2 in Mandarin? by Anonymous Coward · · Score: 0

      Display the unicode in hex, and we'll decode it.

  4. Translates to english? by DontBeAMoran · · Score: 0

    The reason it's showing up fairly often in a data breach repository is because "ji32k7au4a83" translates to English as "my password."

    How exactly does "ji32k7au4a83" translates to english? Is it base64-encoded or something?

    --
    #DeleteFacebook
    1. Re:Translates to english? by RickyShade · · Score: 4, Funny

      The reason it's showing up fairly often in a data breach repository is because "ji32k7au4a83" translates to English as "my password."

      How exactly does "ji32k7au4a83" translates to english? Is it base64-encoded or something?

      Try reading an article for once in your life you miserable piece of shit.

    2. Re:Translates to english? by DontBeAMoran · · Score: 0

      Answer: the Gizmodo article explains it.
      TL;DR: it's caused by a keyboard layout.

      --
      #DeleteFacebook
    3. Re:Translates to english? by Anonymous Coward · · Score: 0

      it explains in the article, it's based on the way chinese characters get stored

    4. Re:Translates to english? by DontBeAMoran · · Score: 4, Funny

      I may be a piece of shit, but I never watched Les misérables, you insensitive clod.

      --
      #DeleteFacebook
    5. Re:Translates to english? by angel'o'sphere · · Score: 5, Informative

      The original mandarin translates to english as "my password".
      The original mandarin character sequence is coded in the database as "ji32k7au4a83", it is a pidgin transcoding schema. It is related to https://en.wikipedia.org/wiki/... but I forgot the name of that transliteration above.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    6. Re:Translates to english? by Anonymous Coward · · Score: 0

      It would've been a VERY easy summary addition. "Meiguoren" - Mei = character input jl32. And so on.

      (My example is wrong in it's details - like most here, if I've even skimmed the summary we're having a good day)

    7. Re:Translates to english? by Anonymous Coward · · Score: 0

      Well, it doesn't really explain it. The password as we see it is are the keys you would press to enter the Mandarin characters which translate to "my password" using the Zhuyin Fuhao typing system. What isn't explained is why the keystrokes show up as the password, not the Unicode characters which result from those keystrokes. It's a bit like finding keyboard scancodes instead of ASCII characters. How does the system fail to convert the input into the actual characters?

    8. Re:Translates to english? by _merlin · · Score: 5, Informative

      Because people usually turn off IME edit for password fields. For one thing, a lot of systems reject exotic characters in passwords. Also, if you need to log in from a system that doesn't have a suitable Chinese IME you're screwed if you need Chinese characters. So they turn off IME edit, select US ANSI keyboard layout, and type the keys they would for an easy-to-remember Chinese phrase. It end up looking like random letters/numbers in English.

    9. Re: Translates to english? by Anonymous Coward · · Score: 0

      The data store or webpage likely doesn't handle unicode for passwords. Just a-z0-9 and a few special characters.

    10. Re:Translates to english? by Anonymous Coward · · Score: 0

      Thank you. THAT explains it.

    11. Re:Translates to english? by Anonymous Coward · · Score: 0

      If you didn't get it yet it's four Chinese characters joined up in a word or phrase.
      I assume this is "Chinese character ji32, Chinese character k7, Chinese character au4, Chinese character a83"

      If you can draw these characters, read them and make goddamn sense of them then you can figure out how it translates in English. There's no English or even roman letters in there.
      Possibly the characters make sense in more languages than just Mandarin.

    12. Re:Translates to english? by Kippesoep · · Score: 1

      This transliteration scheme is called "bopomofo" after the first 4 sounds (b, p, m and f)

    13. Re:Translates to english? by george14215 · · Score: 1

      Pure gold!

    14. Re: Translates to english? by Anonymous Coward · · Score: 4, Informative

      Zhu yin fu hao is the Chinese keyboard super-imposed on the ASCII keyboard.

      Ji3 is u o = wo3
      2k7 is de e = de
      Au4 is mo yi 4 = mi4
      A83 is mo a 3 = ma3

      Wo3 U+6211 is the first person pronoun
      De U+7684 is the possessive
      Mi4 U+5BC6 means secret
      Ma3 U+78BC means number or code

      Taken together, "wo de mima" translates to "my password".

      The number 3 after a Mandarin word stands for the third tone. The number 4 stands for the fourth tone. The particle de is unstressed. There is no tone on an unstressed word

    15. Re:Translates to english? by Aighearach · · Score: 2

      Never read the story, that is the same as renting out your brain to whoever pays for the slavertisements.

    16. Re:Translates to english? by Anonymous Coward · · Score: 0

      The original mandarin translates to english as "my password".
      The original mandarin character sequence is coded in the database as "ji32k7au4a83", it is a pidgin transcoding schema. It is related to https://en.wikipedia.org/wiki/... but I forgot the name of that transliteration above.

      That's wrong....
      This password is Zhuyin not PinYin
      The correct link should be https://en.wikipedia.org/wiki/Bopomofo

    17. Re:Translates to english? by Anonymous Coward · · Score: 0

      Yet I just found out you can literally name a Windows computer a shit emoji and join it into an Active Directory domain and it will work just fine.

    18. Re:Translates to english? by _merlin · · Score: 1

      Yeah, but it's a dumb thing to do because it won't display properly in a terminal and you'll have to rely on the punycoded form to deal with it.

  5. They should have used by mandark1967 · · Score: 4, Funny

    "your password" instead of "my password". GENIUS!

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    1. Re:They should have used by mandark1967 · · Score: 1

      Shit! Now I gotta change my password!

      --
      Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    2. Re:They should have used by DontBeAMoran · · Score: 3, Funny

      Exactly. You need to change your password.

      --
      #DeleteFacebook
    3. Re:They should have used by Anonymous Coward · · Score: 1

      The cool thing is that Slashdot auto-masks passwords in comments, replacing them with asterisks... here's my password, but I bet you'll only see the masked version:

      **********

      See? Try it for yourself!

      (...with apologies to Bash.org/?244321)

    4. Re:They should have used by dumuzi · · Score: 1

      ...but if i change my password to your password then you will be able to get into my accounts and they will be your accounts....I think your trying to trick me....I will keep my password as my password and foil your dastardly plans. Mwuahahahaha....

    5. Re:They should have used by dumuzi · · Score: 1

      my password

    6. Re:They should have used by dumuzi · · Score: 2

      shit, that didn't work. hey I think you lied... damn AC

  6. Re: MAGA by Anonymous Coward · · Score: 1

    Is it not great at the moment?

    That slogan is so funny, as outside of the USA, great is also commonly use to mean 'annoy' and 'loud noise' and 'rub in damaging way'.... Every time the MAGA slogan is used the whole world laughs and I don't think they know..

  7. Fun "fact" by DontBeAMoran · · Score: 5, Interesting

    https://haveibeenpwned.com/Pas...
    12345: This password has been seen 2333232 times before.
    123456: This password has been seen 23174662 times before.

    That's right: there's nearly ten times as many people using 123456 than 12345, so the password used in Spaceballs is actually the more secure one of the two!

    --
    #DeleteFacebook
    1. Re:Fun "fact" by Oswald+McWeany · · Score: 1

      https://haveibeenpwned.com/Pas...
      12345: This password has been seen 2333232 times before.
      123456: This password has been seen 23174662 times before.

      That's right: there's nearly ten times as many people using 123456 than 12345, so the password used in Spaceballs is actually the more secure one of the two!

      I wonder if that's because a lot of websites require at least 6 characters.

      A lot now require 8 so 12345678 is probably pretty common too.

      --
      "That's the way to do it" - Punch
    2. Re:Fun "fact" by Anonymous Coward · · Score: 0

      Actually... +6 is logarithmically slower to get to, so even if using a dictionary attack (since they're both 1-5 and 1-6 in that) the 1-5 would come first in most every iteration. So no, 1-6 is very slightly more secure.

      Probably on the order of 1-2 seconds additional cracking time, assuming desktop resources.

    3. Re: Fun "fact" by Anonymous Coward · · Score: 3, Funny

      Holy shit, how autistic are you, on a scale of 1 to 123456?

    4. Re: Fun "fact" by Anonymous Coward · · Score: 0

      If basic logic makes you go full autist, maybe you shouldn't be involved in coding.

    5. Re: Fun "fact" by Anonymous Coward · · Score: 0

      You got lucky by calling it "basic logic", since your dipshit assumption is reasonable if you're a child that's only capable of basic logic.

      But maybe you're right, maybe the sc3n3 has people equally stupid, employing their tools in the simplest, most linear, sequential, brute force manner possible.

      Real tools reference hotlists. More obscurity is "more secure". People might followup with dumber (see "manner" above) vectors, but their favored, modular, adaptable rainbow tables are tuned to known "habits" (ie common behaviors incl "top100" passwords, etc) natively and further tuned that way by their own hand. If the tables aren't tuned to a ! at the end or a cap up front (they already should be) they can adjust it. All this besides which, everything is probably precluded by spending a millisecond or two checking various top100s, not as a tool-tuner but just blind string matching.

      Different AC

    6. Re:Fun "fact" by Anonymous Coward · · Score: 0

      I'm using 1234, way safer. But I'm considering switching to simply 1, who would think of that?!!!

    7. Re: Fun "fact" by Anonymous Coward · · Score: 0

      Good luck with the autism I guess. But FYI, both 1-5 and 1-6 would be in the list. 1-5 is obviously not going to be "more secure" in any real way, that's retarded. Since you're stuck on that, you're retarded.

      So good luck with the autism AND being retarded, I guess. You're certainly not a cracker of any distinctive repute lol. Crying doesn't beat a stronger password, good luck in life though. :)

    8. Re:Fun "fact" by thegarbz · · Score: 1

      so the password used in Spaceballs is actually the more secure one of the two!

      Only when presented with a dictionary attack, and only if that dictionary doesn't work alphabetically

    9. Re: Fun "fact" by Anonymous Coward · · Score: 0

      Lighten Up, Francis

    10. Re:Fun "fact" by Anonymous Coward · · Score: 0

      Bingo.

    11. Re:Fun "fact" by Krishnoid · · Score: 1

      I've got the perfect password choice though -- 'yiersansiwu'.

    12. Re: Fun "fact" by Calydor · · Score: 0

      You realize most of those 'hotlists' will be alphabetically sorted, and 12345 will STILL show up before 123456, right?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    13. Re:Fun "fact" by es330td · · Score: 1

      This isn't surprising. Many systems have a minimum password length of six characters so a user attempting "12345" would naturally use "123456" to meet the requirement. As "12345" was not an option it would naturally be seen less as a password.

    14. Re: Fun "fact" by Anonymous Coward · · Score: 0

      - 123456 will appear in more of them
      - who the hell creates a popularity list and writes the entries in alphabetic order

    15. Re: Fun "fact" by Anonymous Coward · · Score: 0

      >the list
      I don't claim to be a cracker but I'm not so oblivious as to think the tools run off a single csv from 2004

      >real way
      I didn't start the Akchually true scotsman pissing contest. They're both going to immediately shatter. That goes without saying, unless one of us is grossly oblivious.

      Therefore:You're dumb, I guess. Therefore:You're certainly not smart lol. Therefore:Your squawking doesn't make you right, $condescendingcivilityANDsmiley

    16. Re: Fun "fact" by Anonymous Coward · · Score: 0

      - who the hell creates a popularity list and writes the entries in alphabetic order

      Anybody who machine generates the list from multiple sources and wants to check for dupes?

    17. Re:Fun "fact" by DontBeAMoran · · Score: 1

      Bingo: This password has been seen 702 times before

      --
      #DeleteFacebook
    18. Re:Fun "fact" by DontBeAMoran · · Score: 1

      yiersansiwu: This password has been seen 24 times before

      --
      #DeleteFacebook
    19. Re:Fun "fact" by Anonymous Coward · · Score: 0

      What I find ridiculous are sites that complain that the password I'm using is too complex or too long. I normally generate passwords that are 32 characters and include uppercase, lowercase, digits and punctuation, yet many sites whine about the punctuation and want some ridiculously short password like 8 or 12 characters maximum. Even my ISP, a company which should understand technology and security, limits me to a 16 character, alphanumeric-only password.

    20. Re:Fun "fact" by Anonymous Coward · · Score: 0

      I wonder if that's because a lot of websites require at least 6 characters.

      nothing gets by you, eh Sherlock? step on punchlines much?

  8. Reference by DontBeAMoran · · Score: 1

    http://bash.org/?244321

    --
    #DeleteFacebook
  9. Hilarious results by DontBeAMoran · · Score: 1

    https://haveibeenpwned.com/Pas...
    Frosty Piss: Good news — no pwnage found!
    FrostyPiss: Good news — no pwnage found!
    Frosty_Piss: Good news — no pwnage found!

    Keep on frosty pissing, friend. But you might want to consider some vacation time in a warmer country.

    --
    #DeleteFacebook
  10. Is this a joke? by Anonymous Coward · · Score: 0

    "One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community."

    So... You're recommending that the dumb masses go typing in their passwords into "friendly" sites that "check if it's been leaked"? What? Do you not understand how absurd this is on so many levels? What's even the point, even if it's 100% verified that that particular site is not malicious in itself?

    1. Re:Is this a joke? by Riceballsan · · Score: 1

      Well the site itself doesn't check usernames, so the passwords on their own aren't practical even if the page were to be malicious or hijacked by a malicious source. I do agree on the whole it's a bit useless as it only covers the known hacks and breaches. I go by the rule of thumb to always use unique passwords, and if in doubt change them.

    2. Re:Is this a joke? by Anonymous Coward · · Score: 0

      If you had a previously "good" password, how you can be sure that it won't get added to some password dictionary that gets used for password cracking? Your username would be irrelevant then, it would simply get tried on every attempt.

  11. Duh pain, duh pain! by Anonymous Coward · · Score: 0

    ^ Thinks he's quite a coder but there's not much there... master of the spout...
       

  12. I'm confused by ArhcAngel · · Score: 5, Funny

    I changed all my passwords to correcthorsebatterystaple
    Now you're telling me I should change it to this?

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    1. Re:I'm confused by Anonymous Coward · · Score: 0

      change them all to to correcthorsebatterystaple1 it's more secure.
      lol

    2. Re:I'm confused by pinkfalcon · · Score: 2

      No - you need to change them all to "fourwordsalluppercase"

      --
      Real SUV's don't have cupholders
      It's 5:42 A.M., do you know where your stack pointer is?
    3. Re:I'm confused by i.r.id10t · · Score: 1

      Surprisingly, "fuckits" was found 52 times, but "fuckITS", "fuckITS!" and both "fuckyouITS" and "fuckyouits" were declared "unfound".

      --
      Don't blame me, I voted for Kodos
    4. Re:I'm confused by Anonymous Coward · · Score: 0

      Bullshit! We all know it's hunter2

  13. Good summary by bill_mcgonigle · · Score: 4, Insightful

    Lately I haven't been able to even parse some summaries but with this one I get a cute story and don't even need to read TFA unless I want details.

    It's like 1999 again.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  14. Damn it. by fahrbot-bot · · Score: 1

    ... "ji32k7au4a83" is a very common password among users.

    That was our first choice for a baby name, now it's out 'cause most things won't let you use your name as a password.

    --
    It must have been something you assimilated. . . .
    1. Re:Damn it. by Anonymous Coward · · Score: 0

      My wife and I also wanted something different, yet memorable. We chose Fistful of Diamonds.

    2. Re:Damn it. by Anonymous Coward · · Score: 0

      Just name it Robert'); DROP TABLE Students; --

  15. This is hilarious by ZorinLynx · · Score: 2

    What makes it even more mind blowing is that it LOOKS like a password you'd randomly type by bashing a bunch of letter and number keys.

    k92jf8j2ih22
    f8y23jk29ugwe
    ji32k7au4a83

    It doesn't even stand out!

    Such an interesting world we live in.

    1. Re:This is hilarious by AmiMoJo · · Score: 1

      It shows just how screwed up text handling is on computers. Chinese has thousands of characters, maybe 50k total although only a few thousand are in common use. But computers are mostly handling ASCII, and ASCII only reliably stores about 6 per character (a-z, A-Z, 0-9) because control characters, extended characters and punctuation are often filtered or mangled.

      This affects English speaking users too. For example, by default Microsoft's pre-boot authentication for Bitlocker defaults to a numeric PIN which can be entered with the F keys, because those are the only ones guaranteed to work no matter what language keyboard you plug in. Yubico uses the following character set for similar reasons:

      cbdefghijklnrtuvCBDEFGHIJKLNRTUV0123456789

      The USB keyboard standard is pretty awful really, but that's another story.

      Unicode might have sorted it all out, but Unicode has some severe design flaws that prevented it ever becoming universal. In particular the handling of Chinese, Japanese and Korean is badly broken and the reason why they continue to use standards like BIG5 and Shift-JIS to wedge their character sets into something that systems can process.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  16. Re:MAGA by Drishmung · · Score: 2
    https://haveibeenpwned.com/Pas...

    "MAGA"

    Oh no — pwned! This password has been seen 62 times before

    "MAGA bich"

    Good news — no pwnage found!

    --
    Protoplasm. Quiet Protoplasm. I like quiet protoplasm.
  17. Thereby proving... by Anonymous Coward · · Score: 0

    ... That stupid doesn't discriminate.

  18. So, what is ... by PPH · · Score: 1

    ... "my luggage" translated from Mandarin?

    --
    Have gnu, will travel.
  19. Randomness... by Anonymous Coward · · Score: 0

    I was ready to blame some not-so-random number generator, but this is actually worse...

  20. Foreign language passwords by genka · · Score: 1

    This is hardly surprising. Russian profanities transliterated to English yield thousands of hits in the password database.

    1. Re:Foreign language passwords by dunkelfalke · · Score: 1

      Using just one Russian profanity at a time is doing it wrong, no matter whether for a password or for cursing. If I remember my Russian lessons correctly it should be at least three storeys high.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  21. LastPass by UziBeatle · · Score: 1

    So does this transliteration issue indicate that
    Lastpass and it's ilk have possibly been 'randomly'
    generating words and phrases in reverse Chinese?

      GOod Grief.
    SOmeone with too much time on their hands research this ASAP.

    --
    Something between the lines jumps out and bites your arm off. Soltan Gris / London
  22. Wait, this is genius. by bistromath007 · · Score: 3, Interesting

    By getting software that makes my keyboard try to type Mandarin, picking a simple passphrase, and typing that in, I can get a password that looks like random garbage in both English and Mandarin, and I don't need to store shit in a password manager unless I REALLY want multiple passphrases.

    1. Re:Wait, this is genius. by nadass · · Score: 1

      Maybe try an entirely different language, like Arabic or Cyrillic or Hebrew. The same idea applies, though.

    2. Re:Wait, this is genius. by dunkelfalke · · Score: 1

      Cyrillic is not a language, it is an alphabet.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    3. Re:Wait, this is genius. by Cro+Magnon · · Score: 1

      That's even better. You could type a bunch of Cyrillic characters and English speakers would swear that it's Russian, while Russian speakers say "WTF", or whatever that is in Russian.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    4. Re:Wait, this is genius. by Anonymous Coward · · Score: 0

      Or Elvish? Type friend, and enter!

    5. Re:Wait, this is genius. by Anonymous Coward · · Score: 0

      > I don't need to store shit in a password manager unless I REALLY want multiple passphrases.

      Or you want to log in on a computer that isn't set up to convert your typing to Mandarin.

    6. Re:Wait, this is genius. by nadass · · Score: 1

      Cyrillic is not a language, it is an alphabet.

      True, but the password field doesn't know the difference.

    7. Re:Wait, this is genius. by dunkelfalke · · Score: 1

      It usually does by accepting only 7 bit ASCII characters.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    8. Re:Wait, this is genius. by dunkelfalke · · Score: 1

      This is exactly what happens in many movies.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  23. I thought there would be some clever sci-fi tie in by Fly+Swatter · · Score: 1

    Color me disappointed.

  24. That's disappointing by Anonymous Coward · · Score: 0

    Maybe my very secret and cryptic (to me) password translates to "screw my life" in Chinese. Who could have known...

  25. Re: MAGA by Anonymous Coward · · Score: 0

    not so funny to those of us outside the US who can spell, as its Grate...

  26. ncc1071 by Anonymous Coward · · Score: 0

    Known also as USS enterprise (not the aircraft carrier, but space ship). I saw that one in a list of passwords cracked from stolen hashes, I think back in 2012.

    1. Re:ncc1071 by Anonymous Coward · · Score: 0

      At least get it right, it's NCC-1701. But if I use quotes, I can see from Google that a lot of other people can't get it right either.

      I did find this, though: USS Newquay (warning: furry site)

  27. Re: MAGA by Anonymous Coward · · Score: 0

    Homonyms are not for pedants.

  28. Re: MAGA by Anonymous Coward · · Score: 0

    Fuck off you god damn inbred Putin cock sucking faggot!