For too many people, moving the digits around in some variation of Patriots69Lover is their idea of a strong password. So you might expect something complicated like” “ji32k7au4a83” would be a great password. But according to the data breach repository Have I Been Pwned (HIBP), it shows up more often than one might expect.
This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by HIBP over a hundred times.
Fun thing I learned today regarding secure passwords: the password "ji32k7au4a83" looks like it'd be decently secure, right? But if you check e.g. HIBP, it's been seen over a hundred times. Challenge: explain why and how this happened and how this password might be guessed
— Robert Ou @ BSidesSF (@rqou_) March 1, 2019
Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, “ji32k7au4a83" has been seen by HIBP in 141 breaches.
Several of Ou’s followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it’s showing up fairly often in a data breach repository is because “ji32k7au4a83" translates to English as “my password.”
I reached out to my friend Ben Macaulay to help us verify what’s going on here. Macaulay is a graduate student in linguistics and Taiwan enthusiast who is focusing on endangered language documentation. He also regularly uses a Zhuyin (aka Bopomofo) keyboard, which is a key to this riddle. Macaulay told us it’s the most commonly used system for typing in Taiwan. The phonetic system is recognised by Unicode, and Macaulay confirmed that this is the simplified version of how the translation breaks down:
ji3 -> 我 -> M
2K7 -> 的 -> Y
au4 -> 密 -> PASS
a83 -> 碼 -> WORD
That’s the only translation most of us need, but Macaulay elaborated on how it works. I’m just going to quote it all for no other reason than it makes me appreciate the fact that I only ever have to type in one language.
There are four tones: 1st tone (hold Space), 2nd tone (6), 3rd tone (3), 4th tone (4), unstressed/lack of tone (7).
Then, consonants for the beginning of the syllable, arranged by place of articulation: b (1) p (q) m (a) f (z); d (2) t (w) n (s) l (x); g (e) k (d) h (c); j (r) q (f) x (v); zh (5) ch (t) sh (g) r (b); z (y ) c (h).
Then, the vowels/semivowels: i/yi/y (u) u/wu/w (j) ü/yo (m); a (8) o (i) e (sounds like ‘uh’; k) e (sounds like ‘eh’; _).
Then, some syllable-final consonants and vowel+vowel/vowel+consonant combinations: ai (9) ei (o) ao (l) ou (!); an (0) en/-n (p) ang (;) eng/-ng (?).
To type in zhuyin, you type one of each (in that order, except the tone is last).
I = 我 = wo3 = u (j) + o (i) + 3rd tone (3).
Then the possessive marker 的 (like English ‘s) = de (toneless) = d (2) + e (k) + toneless (7).
Password = 密碼 = 密 ‘secret’ + 碼 (the second half of 號碼 ‘number’) 密 = mi4 = m (a) + i (u) + 4th tone (4) 碼 = ma3 = m (a) + a (8) + 3rd tone (3).
What’s the lesson here? Well, you might conclude that people in Taiwan appear to have some bad password habits, just like the rest of us—but who knows what’s really going on here. They may be in on the joke. Also, you should add a quick check on the HIBP database to your good password creation practices just to make sure that your seemingly random string of characters doesn’t actually have another meaning. And above all, it’s a big wide world out there just waiting to pwn you.