I once used a password which our IT department gave me and it was !'a;@,oq and at least for me it looked random enough. I had it as a root password on a server and I enabled password login for about 2 minutes because I wanted to resize some virtual hard drive or something and couldn't be logged in as a normal user and then switching with su to root because then the normal user would have open files on the file system and I wouldn't be able to unmount or something.
Within those 2 minutes some chinese hacker scripts took over the server and started DDosing some chinese IP adresses. We had to shut it down and blast it and set it up from scratch again.
I later found out that this password was everything but random. It was difficult for me to see because I've been using Dvorak for a couple of years now and didn't see the pattern that it was just the first two rows of the characters on a qwerty keyboard. So actually it was !qaz@wsx (I just put the Dvorak version on top of the comment to give you the same unknown feeling for the password which I had back then.)
I've never reused any passwords since then and always create new ones with my password manager.
> So actually it was !qaz@wsx (I just put the Dvorak version on top of the comment to give you the same unknown feeling for the password which I had back then.)
Related story: For some weird reason, I memorized the serial key for a very popular software (I must be fifteen then). Even today, I can recite the 25-letter key without a hitch. And I have used its first ten letters as a password to one of my accounts. Guess what? The password has been used 4000+ times before [1]. It's hard to digest the fact that there are at least a thousand people in the world who did the same thing.
For the unfamiliar, "ㄨㄛˇㄉㄜ˙ㄇㄧˋㄇㄚˇ" is an example of "bopomofo" script, the phonetic system used to teach kids reading and pronunciation in Taiwan, and adapted to Chinese keyboard input (zhuyin). I learned it in the 1990s studying Mandarin in Taipei. It maps closely to pinyin romanization used in China (i.e., "ㄨㄛˇ" = "wo3" which is the sound in the Mandarin dialect for "我" and potentially other characters with the same pronunciation and tone. "我" means "I" or "me").
I am wondering if it was modeled after Hiragana/Katakana during Taiwan's colonial period?
I see this same explanation on the Twitter thread, which is great.
However, I am concerned at how the OP got the string in the first place, that he compared to HaveIBeenPwned? Is he storing his user's passwords in plain text in his back end database, and decided to run them all against the service?? That in and of itself is a security red flag.
If you're interested in learning Chinese, and want to see the bopomofo/pinyin/literal/parallel translations, please check out Pingtype! I wrote it to help me study. Click Advanced > ㄅㄆㄇㄈ if you want the Zhuyin.
I'm a scientist. Information theory always felt curious to me because it adopted terminology and concepts similar to that from statistical mechanics but in practice was always much more difficult due to what could be considered what was "random" vs. what was non-random. After sitting back and thinking about it, what is considered "random" of course is a statement of the probability distribution for the set under consideration. For info theory, that set is some set of strings (say passwords) which is really culturally and historically contigent, while in physics land, the set is microstates that determine macrostates, for which the degeneracy of a macrostate depends on the hamiltonian, full stop. I think mathematically, of course the statements you make are similar (hence why you apply the same prob theory to both) but the systems I study are comparatively easier, while really, the underlying probability distribution for strings is really hard to know in practice because it essentially depends on human history and culture up to that point. For example, in a universe without English, English words (say one-to-oned to a discrete set, so strings of positive integers less than 26 + 10 (including decimal numbers)) would be random. In fact, a universe without that particular Chinese IME, if it was done somewhat differently, then ji32k7au4a83 could be random.
It's just interesting to me, another reminder that physics is just that much more easier than anything else.
Hold up. In my physics classes, no one ever gave me a straight answer on what constituted a "macrostate". It always sounded arbitrary for similar reasons to the ones you describe for language. Are you telling me it's literally defined by the energy of the system (the Hamiltonian, right?) alone?
> It's just interesting to me, another reminder that physics is just that much more easier than anything else.
Such a statemenrs make me nervous.
In the late XIX century physics professors told their students that they should stop learning physics and go to some other science, because physics is almost complete. It explains almost everything there are some small issues with electromagnetism which will be solved in a few decades and there would be no more work for physicists. No more physics as a science, just engineering.
At that time physics seemed much more easier than anything else. Like it seems now for you, I suppose.
Though maybe there would be no more Einsteins, and physics really explained almost everything for this time.
I take "random" just being a description of the predictor, that they lack sufficient information to make a determinate prediction.
ie., I take probability to be only an epistemic description of confidence given information. And therefore randomness just a lack.
A physical system may be "ontologically random" in the sense that there is no info its possible to obtain to make a determinate prediction -- but that isn't randomness (which is epistemic).
That's "physical informationlessness" which is an (alleged) feature of a physical system that leads to n "inevitable randomness" in our predictions of it.
In China they just use pinyin, so I was baffled as to how ji32k7au4a83 could represent 我的密码. Turns out it's the keys you press if you have Taiwanese input.
After a brief Googling, a lot of Taiwanese websites are encouraging users to come up with password by typing Zhuyin in English, and specifically giving "ji32k7au4a83" (my password) as an example. So this may explains why a lot of people actually followed the advice to the word.
Using the above principles, how can we design a good password?
Tip 1: Replace characters with ones that sound the same
For example, you can replace the letter e in succeed with the number 1 {note this sounds the same in Mandarin}, so that it becomes succ11d, which is easy to remember and combines numbers and letters.
Tip 2: Replace characters with ones that look the same
For example, you can replace the o in dog with 0 and it becomes d0g. It mixes letters and numbers.
Tip 3: fill with special symbols
For example, the above password d0g is not long enough, so you can add special symbols at the end, e.g. d0g!(!(!(!(!(!(, it will be easy to remember, but hackers will need 12,340 centuries to crack it.
Tip 4: Using Chinese input method
For example, the phonetic input method of the four words "My Password" is the combination of "ji32k7au4a83". At first glance, it is a random combination, but it is meaningful.
Pretty hilarious all around, anyone checked if d0g!(!(!(!(!(!( is in the database too?
That follow-up tweet freaks me out. What does that have to do with anything, really. I think it's rather unprofessional and would prefer people not make self-congratulatory statements about their personal beliefs.
I'm willing to bet that a major upcoming security disaster is a compromised password manager that leaks out tens of millions of accounts and passwords in nicely structured XML that's perfect for automated attacks and frauds.
Yes, I use a password manager too, but an ancient one that has no Internet connection, no syncing, and no cloud storage.
The only "modern" password manager I've been able to find that works completely offline and is open source is KeePass -- so long as you don't install any of its plugins that open it up to Internet access.
As someone who speaks 4 languages, my passwords are always a combination of words from different languages together. I am wary of trusting a software with my password generation.
I just keep the RandomKeyGen [0] site on the top of my bookmarks, and whenever I need to set a password for a newly spun up server, or SQL DBA admin password etc., I just pick a random one from there.
Advantage over a password manager? - sometimes I have to document what the password is in offline technical notes or a password vault for the customer, and doing it this way lets me kill two birds with one stone.
Speaking of good passwords, I wrote a passphrase generator once that I still use to this day. You can have a copy of it if you’d like. The README explains all there is to know about it but feel free to ask any questions anyone might have.
One of the password generation tools -- so long ago I forget which one, but probably 1Password -- generated a password for me, and I loved the scheme it used. I still use a variety of it but now I make them up myself. The rules:
1. Make up a short nonsense word (so it's pronounceable).
2. Pick 3 numbers.
3. Make up another short nonsense word.
4. Concat them with hyphens, capitalising the first letter.
So let's go with...
Terp-745-mula
Mang-288-pung
The benefits:
1. Heaps 'o entropy. Need more? Just make longer words.
2. Crucially: really easy to type on an iOS keyboard. You often start with caps on by default, and the dash-number-dash sequence in the middle only requires one use of the symbol shift key.
3. And, of course, fairly memorable.
I still use 1Password and the vast majority of my passwords are 16 characters of truly random nonsense, but for those times that you want a memorable password that you'll actually type quite a bit, this is gold.
---
And now I await the inevitable teardown of this method ... what did I miss? :-)
in Taiwanese, sometimes we "encode" message by pretending typing bopomofo https://en.wikipedia.org/wiki/Bopomofo while input method is english just like here "My password" => "我的密碼" => "ji32k71u4a83"
I'm curious to know if this is right. If you use the zhuyin keyboard method, wouldn't you just remember your password in Taiwanese, and not even recognise the version in Roman characters?
Am I the only person that thinks it’s weird that we encourage using unique passwords everywhere, but the second piece of information needed to login (username, email etc) we tend to keep the same for everything?
I did a cheap version of this where I didn't have to build anything but I could test out the concept because I thought it would be awesome and I thought I wanted it.
Long story short it became problematic pretty quickly and I ditched it. You need to also be able to reply as that email address too etc. It's been done a bunch a times I understand.
Some sites are throwaway (example: they force a sign-up). Don't assume all weak passwords used are not conscious decisions. Entropy is too precious to give up to throwaway sites of uncertain backend security.
What do mean by giving up entropy? Password reuse? You can use a password manager to generate a secure pass for every site, there's no excuse for weak passwords.
Here's a few I made with `pwgen`, get it while it's hot:
Even though it turned out to be perfectly explainable why this seemingingly random password is used so often, I find it a great opporturnity to self promote my more secure version of passwords:
[+] [-] jeena|7 years ago|reply
Within those 2 minutes some chinese hacker scripts took over the server and started DDosing some chinese IP adresses. We had to shut it down and blast it and set it up from scratch again.
I later found out that this password was everything but random. It was difficult for me to see because I've been using Dvorak for a couple of years now and didn't see the pattern that it was just the first two rows of the characters on a qwerty keyboard. So actually it was !qaz@wsx (I just put the Dvorak version on top of the comment to give you the same unknown feeling for the password which I had back then.)
I've never reused any passwords since then and always create new ones with my password manager.
[+] [-] bovermyer|7 years ago|reply
[+] [-] perfmode|7 years ago|reply
Great narrative trick.
Bravo, Keyzer Soze.
[+] [-] JdeBP|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] shubhamjain|7 years ago|reply
[1]: https://haveibeenpwned.com/Passwords
[+] [-] swang|7 years ago|reply
Typing that out on a zhuyin keyboard gets you: ㄨㄛˇㄉㄜ˙ㄇㄧˋㄇㄚˇ
In Pinyin that is wo3 de mi4ma3
Or in English "my password"
[+] [-] ilamont|7 years ago|reply
I am wondering if it was modeled after Hiragana/Katakana during Taiwan's colonial period?
[+] [-] cyberferret|7 years ago|reply
However, I am concerned at how the OP got the string in the first place, that he compared to HaveIBeenPwned? Is he storing his user's passwords in plain text in his back end database, and decided to run them all against the service?? That in and of itself is a security red flag.
[+] [-] qlk1123|7 years ago|reply
This is a rude phrase that probably most Taiwanese understand.
[+] [-] peterburkimsher|7 years ago|reply
https://pingtype.github.io
[+] [-] noobermin|7 years ago|reply
It's just interesting to me, another reminder that physics is just that much more easier than anything else.
[+] [-] andrewflnr|7 years ago|reply
[+] [-] ordu|7 years ago|reply
Such a statemenrs make me nervous.
In the late XIX century physics professors told their students that they should stop learning physics and go to some other science, because physics is almost complete. It explains almost everything there are some small issues with electromagnetism which will be solved in a few decades and there would be no more work for physicists. No more physics as a science, just engineering.
At that time physics seemed much more easier than anything else. Like it seems now for you, I suppose.
Though maybe there would be no more Einsteins, and physics really explained almost everything for this time.
[+] [-] mjburgess|7 years ago|reply
ie., I take probability to be only an epistemic description of confidence given information. And therefore randomness just a lack.
A physical system may be "ontologically random" in the sense that there is no info its possible to obtain to make a determinate prediction -- but that isn't randomness (which is epistemic).
That's "physical informationlessness" which is an (alleged) feature of a physical system that leads to n "inevitable randomness" in our predictions of it.
[+] [-] jedberg|7 years ago|reply
[+] [-] thaumasiotes|7 years ago|reply
In China they just use pinyin, so I was baffled as to how ji32k7au4a83 could represent 我的密码. Turns out it's the keys you press if you have Taiwanese input.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] ryukiegawa|7 years ago|reply
[+] [-] acqq|7 years ago|reply
"How to set up a safe and easy to remember password"
reveals:
http://www.netqna.com/2014/05/do-not-set-up-weak-password.ht...
"4. Using Chinese input method:
For example, the phonetic input method of the four" (I guess in Chinese, op. acqq) "words "My Password" is the combination of "ji32k7au4a83"."
Sure, safe. Just for you and everybody who read that. No problem at all.
And some user of some gaming(?) site used it for his username:
https://web.poe.garena.tw/account/view-profile/ji32k7au4a83
[+] [-] davik|7 years ago|reply
Using the above principles, how can we design a good password?
Tip 1: Replace characters with ones that sound the same
For example, you can replace the letter e in succeed with the number 1 {note this sounds the same in Mandarin}, so that it becomes succ11d, which is easy to remember and combines numbers and letters.
Tip 2: Replace characters with ones that look the same
For example, you can replace the o in dog with 0 and it becomes d0g. It mixes letters and numbers.
Tip 3: fill with special symbols
For example, the above password d0g is not long enough, so you can add special symbols at the end, e.g. d0g!(!(!(!(!(!(, it will be easy to remember, but hackers will need 12,340 centuries to crack it.
Tip 4: Using Chinese input method
For example, the phonetic input method of the four words "My Password" is the combination of "ji32k7au4a83". At first glance, it is a random combination, but it is meaningful.
Pretty hilarious all around, anyone checked if d0g!(!(!(!(!(!( is in the database too?
[+] [-] augbog|7 years ago|reply
[deleted]
[+] [-] _ooqq|7 years ago|reply
[+] [-] meruru|7 years ago|reply
[+] [-] cantrevealname|7 years ago|reply
Yes, I use a password manager too, but an ancient one that has no Internet connection, no syncing, and no cloud storage.
The only "modern" password manager I've been able to find that works completely offline and is open source is KeePass -- so long as you don't install any of its plugins that open it up to Internet access.
[+] [-] cranej|7 years ago|reply
Personally most non-trivial passwords of mine were generated by 'pass'.
[+] [-] 0xcafecafe|7 years ago|reply
[+] [-] cyberferret|7 years ago|reply
Advantage over a password manager? - sometimes I have to document what the password is in offline technical notes or a password vault for the customer, and doing it this way lets me kill two birds with one stone.
[0] - https://randomkeygen.com/
[+] [-] codetrotter|7 years ago|reply
https://github.com/ctsrc/Pgen
[+] [-] jen729w|7 years ago|reply
1. Make up a short nonsense word (so it's pronounceable).
2. Pick 3 numbers.
3. Make up another short nonsense word.
4. Concat them with hyphens, capitalising the first letter.
So let's go with...
The benefits:1. Heaps 'o entropy. Need more? Just make longer words.
2. Crucially: really easy to type on an iOS keyboard. You often start with caps on by default, and the dash-number-dash sequence in the middle only requires one use of the symbol shift key.
3. And, of course, fairly memorable.
I still use 1Password and the vast majority of my passwords are 16 characters of truly random nonsense, but for those times that you want a memorable password that you'll actually type quite a bit, this is gold.
---
And now I await the inevitable teardown of this method ... what did I miss? :-)
[+] [-] shmerl|7 years ago|reply
[+] [-] rawmodz|7 years ago|reply
[+] [-] redisman|7 years ago|reply
[+] [-] dmurray|7 years ago|reply
[+] [-] albertgoeswoof|7 years ago|reply
I posted a Show HN last night for a side project I’ve built that can solve the email part of this: https://news.ycombinator.com/item?id=19296936
[+] [-] james_s_tayler|7 years ago|reply
Long story short it became problematic pretty quickly and I ditched it. You need to also be able to reply as that email address too etc. It's been done a bunch a times I understand.
[+] [-] pishpash|7 years ago|reply
[+] [-] meruru|7 years ago|reply
Here's a few I made with `pwgen`, get it while it's hot:
[+] [-] userbinator|7 years ago|reply
You can find lots of examples of throwaway passwords with associated accounts (and submit your own) at bugmenot.com
[+] [-] lnyng|7 years ago|reply
[+] [-] usernam33|7 years ago|reply
https://news.ycombinator.com/item?id=19290613
[+] [-] mnemotechny|7 years ago|reply
[+] [-] feintruled|7 years ago|reply
[+] [-] balabaster|7 years ago|reply
I'm sure there are so many culturally significant codes that get used as passwords all the time.