[BreachExchange] ji32k7au4a83 is a surprisingly bad password

Destry Winant destry at riskbasedsecurity.com
Fri Mar 8 10:28:36 EST 2019 

https://www.theverge.com/tldr/2019/3/5/18252150/bad-password-security-data-breach-taiwan-ji32k7au4a83-have-i-been-pwned

The password “ji32k7au4a83” might look fairly secure thanks to its
seemingly random jumble of letters and numbers. But surprisingly, that
exact password has appeared in 141 data breaches, as cataloged by the
site Have I Been Pwned and spotted by Gizmodo. It leads to the obvious
question: how are so many people using this one password?

Robert Ou, a hardware and software engineer, first spotted this
interesting chain of characters and challenged people to figure out
why ji32k7au4a83 is so commonly used. Taiwanese internet users quickly
decoded the answer. They noted that on a Taiwanese keyboard with the
Zhuyin Fuhao layout, the string spells out 我的密碼, or “wǒ de mìmǎ,”
which means “my password” in Mandarin. So much for a secure password.

You can see what’s happening in the photo above, which shows the
Zhuyin Fuhao keyboard layout. Typing the letter J, then I, will add
two of the symbols (ㄨ + ㄛ), pronounced u and o, displayed on the top
right of the keys, to form wo. You then have to type out the tone of
the character, hence the 3. Ji3 translates to “me” in English, and
later, “my” after you add “2k7,” the next three characters in the
password.

The most common way of typing Chinese characters in Taiwan is a system
called Zhuyin Fuhao, which is taught to kids in elementary school to
get them started on learning how to read and write Chinese. I remember
learning these symbols in Chinese class all too well... I actually
failed my first class and was left behind while the other kids
graduated ahead of me because my memorization was so poor. (By now,
though, I basically recognize the symbols by sight.) As a side note,
mainland China uses a different system, so the people coming up with
ji32k7au4a83 might mainly be from Taiwan.

While ji32k7au4a83 (“my password”) has come up in 141 data breaches,
au4a83 (which means, you guessed it, “password”) has shown up 1,495
times. The lesson here is that even if you’re using a custom keyboard
that generates strings of letters and numbers that can mystify many
English speakers, using something that equates to “password” as your
password is still a bad idea. Someone out there will know exactly what
you’re trying to do.

More information about the BreachExchange mailing list