Why is Sojdlg123aljg a common password?Why is Gbt3fC79ZmMEFUFJ a weak password?why is 'monkey' a common password?How can we accurately measure a password entropy range?Alternatives to Common Password RetrievalPattern based password crackingWhy is a bad idea to use a common password form?Strong password qualificationIs it a common practice to give a user an unmodifiable password?Is password dependent iteration count a good practice?Do non-administrator Windows accounts need strong passwords?
python start on boot
UK visitors visa needed fast for badly injured family member
N-Dimensional Cartesian Product
Can I use pavers as a cheap solution to stop rain water erosion?
Where does the budget surplus of a conference go?
Can the Protection fighting style be used in this way?
What are the minimum element requirements for a star?
Using characters to delimit commands (like markdown)
Is the genre 'fantasy' still fantasy without magic?
Looking for a reference in Greek
Beginner Tactics - Why Isn't This Mate?
Can it be viewed as a negative for PhD applications in the US if I have children?
RPMs too high on freeway? Help!
Running code in a different tmux pane
Integration of three dimensional function gives wrong answer!
When can't Cramer-Rao lower bound be reached?
How should I handle a player attacking from the top of a tree?
Raised concerns about a security vulnerability to various managers, for more than a year, with no results. Should I mention it to external auditors?
Elliptic curve commitments mod p
Idiomatic way to distinguish two zero-arg constructors
How to write a vertically centered asterisk in LaTex in a normal text?
Insets around a clock
Is there any way to get an instant or sorcery on the field as a permanent? What would happen if this occurred?
Principle of stationary action vs Euler-Lagrange Equation
Why is Sojdlg123aljg a common password?
Why is Gbt3fC79ZmMEFUFJ a weak password?why is 'monkey' a common password?How can we accurately measure a password entropy range?Alternatives to Common Password RetrievalPattern based password crackingWhy is a bad idea to use a common password form?Strong password qualificationIs it a common practice to give a user an unmodifiable password?Is password dependent iteration count a good practice?Do non-administrator Windows accounts need strong passwords?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
I was going through the list of top 100K passwords and found Sojdlg123aljg near the top of the list. Does anyone have any idea why this is such a common password?
passwords password-management password-cracking password-policy
edited Sep 6 at 4:30
Rodrigo de Azevedo
2112 silver badges12 bronze badges
asked Sep 5 at 3:00
azoundriaazoundria
7332 gold badges5 silver badges6 bronze badges
|
show 3 more comments
I was going through the list of top 100K passwords and found Sojdlg123aljg near the top of the list. Does anyone have any idea why this is such a common password?
passwords password-management password-cracking password-policy
edited Sep 6 at 4:30
Rodrigo de Azevedo
2112 silver badges12 bronze badges
asked Sep 5 at 3:00
azoundriaazoundria
7332 gold badges5 silver badges6 bronze badges
41
One theory I've seen proposed for passwords like this is that they're passwords that are associated with bot accounts, and are heavily reused by the tools that create these accounts.
– Xander
Sep 5 at 3:55
12
I seem to remember (but can't now find) a similar question about an at-first-glance-secure password appearing on either a common-password- or passwords-to-avoid-list. IIRC, the reason was because it appeared in some popular "how to" bit of code.
– TripeHound
Sep 5 at 14:16
17
@TripeHound it's Why is Gbt3fC79ZmMEFUFJ a weak password?, also got into HNQ.
– Andrew T.
Sep 5 at 17:07
3
I've noticed that all the letters, except o, are located on the home row on the keyboard.
– stackzebra
Sep 6 at 13:51
2
Another theory (probably not for this, but for likewise) passwords might be people just searching for secure passwords online, many copy & pasting the same seemingly randomized password...
– LMD
Sep 6 at 21:05
|
show 3 more comments
I was going through the list of top 100K passwords and found Sojdlg123aljg near the top of the list. Does anyone have any idea why this is such a common password?
passwords password-management password-cracking password-policy
edited Sep 6 at 4:30
Rodrigo de Azevedo
2112 silver badges12 bronze badges
asked Sep 5 at 3:00
azoundriaazoundria
7332 gold badges5 silver badges6 bronze badges
I was going through the list of top 100K passwords and found Sojdlg123aljg near the top of the list. Does anyone have any idea why this is such a common password?
passwords password-management password-cracking password-policy
passwords password-management password-cracking password-policy
edited Sep 6 at 4:30
Rodrigo de Azevedo
2112 silver badges12 bronze badges
asked Sep 5 at 3:00
azoundriaazoundria
7332 gold badges5 silver badges6 bronze badges
edited Sep 6 at 4:30
Rodrigo de Azevedo
2112 silver badges12 bronze badges
asked Sep 5 at 3:00
azoundriaazoundria
7332 gold badges5 silver badges6 bronze badges
edited Sep 6 at 4:30
Rodrigo de Azevedo
2112 silver badges12 bronze badges
edited Sep 6 at 4:30
Rodrigo de Azevedo
2112 silver badges12 bronze badges
edited Sep 6 at 4:30
Rodrigo de Azevedo
2112 silver badges12 bronze badges
2112 silver badges12 bronze badges
asked Sep 5 at 3:00
azoundriaazoundria
7332 gold badges5 silver badges6 bronze badges
asked Sep 5 at 3:00
azoundriaazoundria
7332 gold badges5 silver badges6 bronze badges
asked Sep 5 at 3:00
azoundriaazoundria
7332 gold badges5 silver badges6 bronze badges
7332 gold badges5 silver badges6 bronze badges
41
One theory I've seen proposed for passwords like this is that they're passwords that are associated with bot accounts, and are heavily reused by the tools that create these accounts.
– Xander
Sep 5 at 3:55
12
I seem to remember (but can't now find) a similar question about an at-first-glance-secure password appearing on either a common-password- or passwords-to-avoid-list. IIRC, the reason was because it appeared in some popular "how to" bit of code.
– TripeHound
Sep 5 at 14:16
17
@TripeHound it's Why is Gbt3fC79ZmMEFUFJ a weak password?, also got into HNQ.
– Andrew T.
Sep 5 at 17:07
3
I've noticed that all the letters, except o, are located on the home row on the keyboard.
– stackzebra
Sep 6 at 13:51
2
Another theory (probably not for this, but for likewise) passwords might be people just searching for secure passwords online, many copy & pasting the same seemingly randomized password...
– LMD
Sep 6 at 21:05
|
show 3 more comments
41
One theory I've seen proposed for passwords like this is that they're passwords that are associated with bot accounts, and are heavily reused by the tools that create these accounts.
– Xander
Sep 5 at 3:55
12
I seem to remember (but can't now find) a similar question about an at-first-glance-secure password appearing on either a common-password- or passwords-to-avoid-list. IIRC, the reason was because it appeared in some popular "how to" bit of code.
– TripeHound
Sep 5 at 14:16
17
@TripeHound it's Why is Gbt3fC79ZmMEFUFJ a weak password?, also got into HNQ.
– Andrew T.
Sep 5 at 17:07
3
I've noticed that all the letters, except o, are located on the home row on the keyboard.
– stackzebra
Sep 6 at 13:51
2
Another theory (probably not for this, but for likewise) passwords might be people just searching for secure passwords online, many copy & pasting the same seemingly randomized password...
– LMD
Sep 6 at 21:05
41
41
One theory I've seen proposed for passwords like this is that they're passwords that are associated with bot accounts, and are heavily reused by the tools that create these accounts.
– Xander
Sep 5 at 3:55
One theory I've seen proposed for passwords like this is that they're passwords that are associated with bot accounts, and are heavily reused by the tools that create these accounts.
– Xander
Sep 5 at 3:55
12
12
I seem to remember (but can't now find) a similar question about an at-first-glance-secure password appearing on either a common-password- or passwords-to-avoid-list. IIRC, the reason was because it appeared in some popular "how to" bit of code.
– TripeHound
Sep 5 at 14:16
I seem to remember (but can't now find) a similar question about an at-first-glance-secure password appearing on either a common-password- or passwords-to-avoid-list. IIRC, the reason was because it appeared in some popular "how to" bit of code.
– TripeHound
Sep 5 at 14:16
17
17
@TripeHound it's Why is Gbt3fC79ZmMEFUFJ a weak password?, also got into HNQ.
– Andrew T.
Sep 5 at 17:07
@TripeHound it's Why is Gbt3fC79ZmMEFUFJ a weak password?, also got into HNQ.
– Andrew T.
Sep 5 at 17:07
3
3
I've noticed that all the letters, except o, are located on the home row on the keyboard.
– stackzebra
Sep 6 at 13:51
I've noticed that all the letters, except o, are located on the home row on the keyboard.
– stackzebra
Sep 6 at 13:51
2
2
Another theory (probably not for this, but for likewise) passwords might be people just searching for secure passwords online, many copy & pasting the same seemingly randomized password...
– LMD
Sep 6 at 21:05
Another theory (probably not for this, but for likewise) passwords might be people just searching for secure passwords online, many copy & pasting the same seemingly randomized password...
– LMD
Sep 6 at 21:05
|
show 3 more comments
3 Answers
3
active
oldest
votes
One of the most logical explanations is that those accounts were associated with a bot. Same goes for password like 18atcskd2w.
Graham Cluley wrote an article about this: So, Just Why Is 18atcskd2w Such a Popular Password?
Can so many people really be choosing to protect their online accounts
with the same, seemingly random choice of “18atcskd2w”, “3rjs1la7qe,”
or “q0tsrbv488”?
The answer, of course, is no. People are not choosing those passwords.
Yes, those credentials can be found amongst the stolen data, and those
passwords are being used on many tens of thousands of accounts, but it
wasn’t a human being who chose that password. It was a computer.
Human brains were responsible for choosing passwords like “123456”,
“password,” and “qwerty.” But there is no way that 91,103 people
independently chose to secure their accounts with “18atcskd2w.”
Instead, what I believe happened is that these accounts were created
by bots, perhaps with the intention of posting spam onto the forums.
Edit:
Ok, I went to check some of records ("dumps") from breached websites:
ilerrhyc@qgjkwntm.com:18atcskD2W
lprfzoyj@aboriaqk.com:18atcskD2W
ytjcvfhx@erbnxkjx.com:18atcskD2W
imuudluz@qsldpvlx.com:18atcskD2W
rrrowvvn@gdcufxsg.com:18atcskD2W
kixtigma@snjkuxjh.com:18atcskD2W
I'm pretty sure that those passwords were associated with bot, but funny thing is that attacker used random username with random-non-existing domain, but non-random password.
answered Sep 5 at 4:10
MirsadMirsad
9,1297 gold badges25 silver badges50 bronze badges
173
So computers are just as bad at password reuse as people :)
– Conor Mancone
Sep 5 at 11:14
6
The first thought that came to mind is that one of these may be a simple transformation of an otherwise common password, akarot_13('password'). However, I think this is a much more likely reason.
– Conor Mancone
Sep 5 at 11:14
14
@ConorMancone Well, no. The script that creates the spam accounts was written by a person, so it's still a person responsible for the password reuse. Of course, account security isn't exactly a concern for a throwaway account that's probably going to be locked/deleted shortly after creation and doesn't contain any real information to be exposed even if it is compromised.
– Anthony Grist
Sep 5 at 11:49
8
@NumLock xkcd.com/221
– Michael
Sep 5 at 13:50
33
funny thing is that attacker used random username with random-non-existing domain, but non-random password likely because usernames are checked for duplication, but passwords are not. There's no motivation to generate unique passwords, but there is a rule that stops you from re-using usernames.
– dwizum
Sep 5 at 17:55
|
show 11 more comments
Another possibility : Sojdlg123aljg is latin characters translation from another alphabet.
For instance, a common password "ji32k7au4a83" is from mandarin "我的密碼", meaning "my password" (source).
Using this online keyboard, you can validate that typing successively j-i-3 maps to 我.
However it does not works for Soj... So either it is a different language, or the other answer is right.
answered Sep 5 at 11:52
Lou_isLou_is
7471 gold badge1 silver badge8 bronze badges
3
I tried to do a translation using the linked method and I could not figure out a way to do it. It might be nice if someone with one of those keyboards could run a test to confirm for Chinese, if nothing else.
– schroeder♦
Sep 5 at 12:39
9
I am from mainland China and I have no clue howji32k7au4a83could become我的密碼
– Siyu
Sep 5 at 12:50
24
Hey, look at that. Very clever lateral thinking.
– Adonalsium
Sep 5 at 13:04
4
@Siyu It's a transliteration, not a translation, which is what you are probably thinking of
– anjama
Sep 5 at 13:55
17
It is surely significant that all but 1 of Sojdlg123aljg's 10 letters come from the same row of the QWERTY keyboard, and that three of them that come before the digits come again after the digits. This is surely a keyboard mash made by a human with not enough entropy.
– Rosie F
Sep 5 at 15:27
|
show 6 more comments
One of the misleading things about password statistics is that the most common passwords may not in fact be that common. The passwords 123456 and password are always among the top passwords, but that doesn't mean that you'll see them in the wild that much.
In 2014 I compiled the top passwords list for SplashData and wrote an article about some of the anomalies you see on password lists. In that article I wrote this:
While 123456 is indeed the most common password, that statistic is a
bit misleading. Although 0.6% of all users on my list used that
password, it’s important to remember that 99.4% of the users on my
list didn’t use that password. What is noteworthy here is that while
the top passwords are still the top passwords, the number of people
using those passwords has dramatically decreased.
and
In 2014, all it takes for a password to get on the top 1000 list is to
be used by just 0.0044% of all users.
What this means is that as more people avoid common passwords, other anomalies pop up such as accounts created by bots, hackers, or admins who assign the same default password to everyone.
This last case is one example I used:
For example, when I first ran my stats for 2014, the password lonen0
ranked as #7 in the list. Looking through the data I saw that all of
these passwords came from a single source, the Belgium company EASYPAY
GROUP, which had their data leaked in November of 2014. Looking
through the raw data it appears that lonen0 was a default password
that 10% of their users failed to set to something stronger. It’s just
10% of users from one company but that was enough to push it to the #7
most common password in my data set.
As others have pointed out, this was most likely a bot but could also have been a hacker who compromised the system. This was pretty common with paid content sites (i.e., porn) where someone would hack the site and create a bunch of accounts with different usernames and the same password. This could have been to avoid detection or to allow for tracking, but was also common for claiming certain accounts, as was very common in certain IRC channels and forums that shared passwords (i.e., forzealots or xphkrew).
answered Sep 8 at 21:29
Mark BurnettMark Burnett
2,59010 silver badges16 bronze badges
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f216567%2fwhy-is-sojdlg123aljg-a-common-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
One of the most logical explanations is that those accounts were associated with a bot. Same goes for password like 18atcskd2w.
Graham Cluley wrote an article about this: So, Just Why Is 18atcskd2w Such a Popular Password?
Can so many people really be choosing to protect their online accounts
with the same, seemingly random choice of “18atcskd2w”, “3rjs1la7qe,”
or “q0tsrbv488”?
The answer, of course, is no. People are not choosing those passwords.
Yes, those credentials can be found amongst the stolen data, and those
passwords are being used on many tens of thousands of accounts, but it
wasn’t a human being who chose that password. It was a computer.
Human brains were responsible for choosing passwords like “123456”,
“password,” and “qwerty.” But there is no way that 91,103 people
independently chose to secure their accounts with “18atcskd2w.”
Instead, what I believe happened is that these accounts were created
by bots, perhaps with the intention of posting spam onto the forums.
Edit:
Ok, I went to check some of records ("dumps") from breached websites:
ilerrhyc@qgjkwntm.com:18atcskD2W
lprfzoyj@aboriaqk.com:18atcskD2W
ytjcvfhx@erbnxkjx.com:18atcskD2W
imuudluz@qsldpvlx.com:18atcskD2W
rrrowvvn@gdcufxsg.com:18atcskD2W
kixtigma@snjkuxjh.com:18atcskD2W
I'm pretty sure that those passwords were associated with bot, but funny thing is that attacker used random username with random-non-existing domain, but non-random password.
answered Sep 5 at 4:10
MirsadMirsad
9,1297 gold badges25 silver badges50 bronze badges
173
So computers are just as bad at password reuse as people :)
– Conor Mancone
Sep 5 at 11:14
6
The first thought that came to mind is that one of these may be a simple transformation of an otherwise common password, akarot_13('password'). However, I think this is a much more likely reason.
– Conor Mancone
Sep 5 at 11:14
14
@ConorMancone Well, no. The script that creates the spam accounts was written by a person, so it's still a person responsible for the password reuse. Of course, account security isn't exactly a concern for a throwaway account that's probably going to be locked/deleted shortly after creation and doesn't contain any real information to be exposed even if it is compromised.
– Anthony Grist
Sep 5 at 11:49
8
@NumLock xkcd.com/221
– Michael
Sep 5 at 13:50
33
funny thing is that attacker used random username with random-non-existing domain, but non-random password likely because usernames are checked for duplication, but passwords are not. There's no motivation to generate unique passwords, but there is a rule that stops you from re-using usernames.
– dwizum
Sep 5 at 17:55
|
show 11 more comments
One of the most logical explanations is that those accounts were associated with a bot. Same goes for password like 18atcskd2w.
Graham Cluley wrote an article about this: So, Just Why Is 18atcskd2w Such a Popular Password?
Can so many people really be choosing to protect their online accounts
with the same, seemingly random choice of “18atcskd2w”, “3rjs1la7qe,”
or “q0tsrbv488”?
The answer, of course, is no. People are not choosing those passwords.
Yes, those credentials can be found amongst the stolen data, and those
passwords are being used on many tens of thousands of accounts, but it
wasn’t a human being who chose that password. It was a computer.
Human brains were responsible for choosing passwords like “123456”,
“password,” and “qwerty.” But there is no way that 91,103 people
independently chose to secure their accounts with “18atcskd2w.”
Instead, what I believe happened is that these accounts were created
by bots, perhaps with the intention of posting spam onto the forums.
Edit:
Ok, I went to check some of records ("dumps") from breached websites:
ilerrhyc@qgjkwntm.com:18atcskD2W
lprfzoyj@aboriaqk.com:18atcskD2W
ytjcvfhx@erbnxkjx.com:18atcskD2W
imuudluz@qsldpvlx.com:18atcskD2W
rrrowvvn@gdcufxsg.com:18atcskD2W
kixtigma@snjkuxjh.com:18atcskD2W
I'm pretty sure that those passwords were associated with bot, but funny thing is that attacker used random username with random-non-existing domain, but non-random password.
answered Sep 5 at 4:10
MirsadMirsad
9,1297 gold badges25 silver badges50 bronze badges
173
So computers are just as bad at password reuse as people :)
– Conor Mancone
Sep 5 at 11:14
6
The first thought that came to mind is that one of these may be a simple transformation of an otherwise common password, akarot_13('password'). However, I think this is a much more likely reason.
– Conor Mancone
Sep 5 at 11:14
14
@ConorMancone Well, no. The script that creates the spam accounts was written by a person, so it's still a person responsible for the password reuse. Of course, account security isn't exactly a concern for a throwaway account that's probably going to be locked/deleted shortly after creation and doesn't contain any real information to be exposed even if it is compromised.
– Anthony Grist
Sep 5 at 11:49
8
@NumLock xkcd.com/221
– Michael
Sep 5 at 13:50
33
funny thing is that attacker used random username with random-non-existing domain, but non-random password likely because usernames are checked for duplication, but passwords are not. There's no motivation to generate unique passwords, but there is a rule that stops you from re-using usernames.
– dwizum
Sep 5 at 17:55
|
show 11 more comments
One of the most logical explanations is that those accounts were associated with a bot. Same goes for password like 18atcskd2w.
Graham Cluley wrote an article about this: So, Just Why Is 18atcskd2w Such a Popular Password?
Can so many people really be choosing to protect their online accounts
with the same, seemingly random choice of “18atcskd2w”, “3rjs1la7qe,”
or “q0tsrbv488”?
The answer, of course, is no. People are not choosing those passwords.
Yes, those credentials can be found amongst the stolen data, and those
passwords are being used on many tens of thousands of accounts, but it
wasn’t a human being who chose that password. It was a computer.
Human brains were responsible for choosing passwords like “123456”,
“password,” and “qwerty.” But there is no way that 91,103 people
independently chose to secure their accounts with “18atcskd2w.”
Instead, what I believe happened is that these accounts were created
by bots, perhaps with the intention of posting spam onto the forums.
Edit:
Ok, I went to check some of records ("dumps") from breached websites:
ilerrhyc@qgjkwntm.com:18atcskD2W
lprfzoyj@aboriaqk.com:18atcskD2W
ytjcvfhx@erbnxkjx.com:18atcskD2W
imuudluz@qsldpvlx.com:18atcskD2W
rrrowvvn@gdcufxsg.com:18atcskD2W
kixtigma@snjkuxjh.com:18atcskD2W
I'm pretty sure that those passwords were associated with bot, but funny thing is that attacker used random username with random-non-existing domain, but non-random password.
answered Sep 5 at 4:10
MirsadMirsad
9,1297 gold badges25 silver badges50 bronze badges
One of the most logical explanations is that those accounts were associated with a bot. Same goes for password like 18atcskd2w.
Graham Cluley wrote an article about this: So, Just Why Is 18atcskd2w Such a Popular Password?
Can so many people really be choosing to protect their online accounts
with the same, seemingly random choice of “18atcskd2w”, “3rjs1la7qe,”
or “q0tsrbv488”?
The answer, of course, is no. People are not choosing those passwords.
Yes, those credentials can be found amongst the stolen data, and those
passwords are being used on many tens of thousands of accounts, but it
wasn’t a human being who chose that password. It was a computer.
Human brains were responsible for choosing passwords like “123456”,
“password,” and “qwerty.” But there is no way that 91,103 people
independently chose to secure their accounts with “18atcskd2w.”
Instead, what I believe happened is that these accounts were created
by bots, perhaps with the intention of posting spam onto the forums.
Edit:
Ok, I went to check some of records ("dumps") from breached websites:
ilerrhyc@qgjkwntm.com:18atcskD2W
lprfzoyj@aboriaqk.com:18atcskD2W
ytjcvfhx@erbnxkjx.com:18atcskD2W
imuudluz@qsldpvlx.com:18atcskD2W
rrrowvvn@gdcufxsg.com:18atcskD2W
kixtigma@snjkuxjh.com:18atcskD2W
I'm pretty sure that those passwords were associated with bot, but funny thing is that attacker used random username with random-non-existing domain, but non-random password.
answered Sep 5 at 4:10
MirsadMirsad
9,1297 gold badges25 silver badges50 bronze badges
edited Sep 5 at 15:37
answered Sep 5 at 4:10
MirsadMirsad
9,1297 gold badges25 silver badges50 bronze badges
answered Sep 5 at 4:10
MirsadMirsad
9,1297 gold badges25 silver badges50 bronze badges
answered Sep 5 at 4:10
MirsadMirsad
9,1297 gold badges25 silver badges50 bronze badges
9,1297 gold badges25 silver badges50 bronze badges
173
So computers are just as bad at password reuse as people :)
– Conor Mancone
Sep 5 at 11:14
6
The first thought that came to mind is that one of these may be a simple transformation of an otherwise common password, akarot_13('password'). However, I think this is a much more likely reason.
– Conor Mancone
Sep 5 at 11:14
14
@ConorMancone Well, no. The script that creates the spam accounts was written by a person, so it's still a person responsible for the password reuse. Of course, account security isn't exactly a concern for a throwaway account that's probably going to be locked/deleted shortly after creation and doesn't contain any real information to be exposed even if it is compromised.
– Anthony Grist
Sep 5 at 11:49
8
@NumLock xkcd.com/221
– Michael
Sep 5 at 13:50
33
funny thing is that attacker used random username with random-non-existing domain, but non-random password likely because usernames are checked for duplication, but passwords are not. There's no motivation to generate unique passwords, but there is a rule that stops you from re-using usernames.
– dwizum
Sep 5 at 17:55
|
show 11 more comments
173
So computers are just as bad at password reuse as people :)
– Conor Mancone
Sep 5 at 11:14
6
The first thought that came to mind is that one of these may be a simple transformation of an otherwise common password, akarot_13('password'). However, I think this is a much more likely reason.
– Conor Mancone
Sep 5 at 11:14
14
@ConorMancone Well, no. The script that creates the spam accounts was written by a person, so it's still a person responsible for the password reuse. Of course, account security isn't exactly a concern for a throwaway account that's probably going to be locked/deleted shortly after creation and doesn't contain any real information to be exposed even if it is compromised.
– Anthony Grist
Sep 5 at 11:49
8
@NumLock xkcd.com/221
– Michael
Sep 5 at 13:50
33
funny thing is that attacker used random username with random-non-existing domain, but non-random password likely because usernames are checked for duplication, but passwords are not. There's no motivation to generate unique passwords, but there is a rule that stops you from re-using usernames.
– dwizum
Sep 5 at 17:55
173
173
So computers are just as bad at password reuse as people :)
– Conor Mancone
Sep 5 at 11:14
So computers are just as bad at password reuse as people :)
– Conor Mancone
Sep 5 at 11:14
6
6
The first thought that came to mind is that one of these may be a simple transformation of an otherwise common password, aka
rot_13('password'). However, I think this is a much more likely reason.– Conor Mancone
Sep 5 at 11:14
The first thought that came to mind is that one of these may be a simple transformation of an otherwise common password, aka
rot_13('password'). However, I think this is a much more likely reason.– Conor Mancone
Sep 5 at 11:14
14
14
@ConorMancone Well, no. The script that creates the spam accounts was written by a person, so it's still a person responsible for the password reuse. Of course, account security isn't exactly a concern for a throwaway account that's probably going to be locked/deleted shortly after creation and doesn't contain any real information to be exposed even if it is compromised.
– Anthony Grist
Sep 5 at 11:49
@ConorMancone Well, no. The script that creates the spam accounts was written by a person, so it's still a person responsible for the password reuse. Of course, account security isn't exactly a concern for a throwaway account that's probably going to be locked/deleted shortly after creation and doesn't contain any real information to be exposed even if it is compromised.
– Anthony Grist
Sep 5 at 11:49
8
8
@NumLock xkcd.com/221
– Michael
Sep 5 at 13:50
@NumLock xkcd.com/221
– Michael
Sep 5 at 13:50
33
33
funny thing is that attacker used random username with random-non-existing domain, but non-random password likely because usernames are checked for duplication, but passwords are not. There's no motivation to generate unique passwords, but there is a rule that stops you from re-using usernames.
– dwizum
Sep 5 at 17:55
funny thing is that attacker used random username with random-non-existing domain, but non-random password likely because usernames are checked for duplication, but passwords are not. There's no motivation to generate unique passwords, but there is a rule that stops you from re-using usernames.
– dwizum
Sep 5 at 17:55
|
show 11 more comments
Another possibility : Sojdlg123aljg is latin characters translation from another alphabet.
For instance, a common password "ji32k7au4a83" is from mandarin "我的密碼", meaning "my password" (source).
Using this online keyboard, you can validate that typing successively j-i-3 maps to 我.
However it does not works for Soj... So either it is a different language, or the other answer is right.
answered Sep 5 at 11:52
Lou_isLou_is
7471 gold badge1 silver badge8 bronze badges
3
I tried to do a translation using the linked method and I could not figure out a way to do it. It might be nice if someone with one of those keyboards could run a test to confirm for Chinese, if nothing else.
– schroeder♦
Sep 5 at 12:39
9
I am from mainland China and I have no clue howji32k7au4a83could become我的密碼
– Siyu
Sep 5 at 12:50
24
Hey, look at that. Very clever lateral thinking.
– Adonalsium
Sep 5 at 13:04
4
@Siyu It's a transliteration, not a translation, which is what you are probably thinking of
– anjama
Sep 5 at 13:55
17
It is surely significant that all but 1 of Sojdlg123aljg's 10 letters come from the same row of the QWERTY keyboard, and that three of them that come before the digits come again after the digits. This is surely a keyboard mash made by a human with not enough entropy.
– Rosie F
Sep 5 at 15:27
|
show 6 more comments
Another possibility : Sojdlg123aljg is latin characters translation from another alphabet.
For instance, a common password "ji32k7au4a83" is from mandarin "我的密碼", meaning "my password" (source).
Using this online keyboard, you can validate that typing successively j-i-3 maps to 我.
However it does not works for Soj... So either it is a different language, or the other answer is right.
answered Sep 5 at 11:52
Lou_isLou_is
7471 gold badge1 silver badge8 bronze badges
3
I tried to do a translation using the linked method and I could not figure out a way to do it. It might be nice if someone with one of those keyboards could run a test to confirm for Chinese, if nothing else.
– schroeder♦
Sep 5 at 12:39
9
I am from mainland China and I have no clue howji32k7au4a83could become我的密碼
– Siyu
Sep 5 at 12:50
24
Hey, look at that. Very clever lateral thinking.
– Adonalsium
Sep 5 at 13:04
4
@Siyu It's a transliteration, not a translation, which is what you are probably thinking of
– anjama
Sep 5 at 13:55
17
It is surely significant that all but 1 of Sojdlg123aljg's 10 letters come from the same row of the QWERTY keyboard, and that three of them that come before the digits come again after the digits. This is surely a keyboard mash made by a human with not enough entropy.
– Rosie F
Sep 5 at 15:27
|
show 6 more comments
Another possibility : Sojdlg123aljg is latin characters translation from another alphabet.
For instance, a common password "ji32k7au4a83" is from mandarin "我的密碼", meaning "my password" (source).
Using this online keyboard, you can validate that typing successively j-i-3 maps to 我.
However it does not works for Soj... So either it is a different language, or the other answer is right.
answered Sep 5 at 11:52
Lou_isLou_is
7471 gold badge1 silver badge8 bronze badges
Another possibility : Sojdlg123aljg is latin characters translation from another alphabet.
For instance, a common password "ji32k7au4a83" is from mandarin "我的密碼", meaning "my password" (source).
Using this online keyboard, you can validate that typing successively j-i-3 maps to 我.
However it does not works for Soj... So either it is a different language, or the other answer is right.
answered Sep 5 at 11:52
Lou_isLou_is
7471 gold badge1 silver badge8 bronze badges
edited Sep 5 at 12:58
answered Sep 5 at 11:52
Lou_isLou_is
7471 gold badge1 silver badge8 bronze badges
answered Sep 5 at 11:52
Lou_isLou_is
7471 gold badge1 silver badge8 bronze badges
answered Sep 5 at 11:52
Lou_isLou_is
7471 gold badge1 silver badge8 bronze badges
7471 gold badge1 silver badge8 bronze badges
3
I tried to do a translation using the linked method and I could not figure out a way to do it. It might be nice if someone with one of those keyboards could run a test to confirm for Chinese, if nothing else.
– schroeder♦
Sep 5 at 12:39
9
I am from mainland China and I have no clue howji32k7au4a83could become我的密碼
– Siyu
Sep 5 at 12:50
24
Hey, look at that. Very clever lateral thinking.
– Adonalsium
Sep 5 at 13:04
4
@Siyu It's a transliteration, not a translation, which is what you are probably thinking of
– anjama
Sep 5 at 13:55
17
It is surely significant that all but 1 of Sojdlg123aljg's 10 letters come from the same row of the QWERTY keyboard, and that three of them that come before the digits come again after the digits. This is surely a keyboard mash made by a human with not enough entropy.
– Rosie F
Sep 5 at 15:27
|
show 6 more comments
3
I tried to do a translation using the linked method and I could not figure out a way to do it. It might be nice if someone with one of those keyboards could run a test to confirm for Chinese, if nothing else.
– schroeder♦
Sep 5 at 12:39
9
I am from mainland China and I have no clue howji32k7au4a83could become我的密碼
– Siyu
Sep 5 at 12:50
24
Hey, look at that. Very clever lateral thinking.
– Adonalsium
Sep 5 at 13:04
4
@Siyu It's a transliteration, not a translation, which is what you are probably thinking of
– anjama
Sep 5 at 13:55
17
It is surely significant that all but 1 of Sojdlg123aljg's 10 letters come from the same row of the QWERTY keyboard, and that three of them that come before the digits come again after the digits. This is surely a keyboard mash made by a human with not enough entropy.
– Rosie F
Sep 5 at 15:27
3
3
I tried to do a translation using the linked method and I could not figure out a way to do it. It might be nice if someone with one of those keyboards could run a test to confirm for Chinese, if nothing else.
– schroeder♦
Sep 5 at 12:39
I tried to do a translation using the linked method and I could not figure out a way to do it. It might be nice if someone with one of those keyboards could run a test to confirm for Chinese, if nothing else.
– schroeder♦
Sep 5 at 12:39
9
9
I am from mainland China and I have no clue how
ji32k7au4a83 could become 我的密碼– Siyu
Sep 5 at 12:50
I am from mainland China and I have no clue how
ji32k7au4a83 could become 我的密碼– Siyu
Sep 5 at 12:50
24
24
Hey, look at that. Very clever lateral thinking.
– Adonalsium
Sep 5 at 13:04
Hey, look at that. Very clever lateral thinking.
– Adonalsium
Sep 5 at 13:04
4
4
@Siyu It's a transliteration, not a translation, which is what you are probably thinking of
– anjama
Sep 5 at 13:55
@Siyu It's a transliteration, not a translation, which is what you are probably thinking of
– anjama
Sep 5 at 13:55
17
17
It is surely significant that all but 1 of Sojdlg123aljg's 10 letters come from the same row of the QWERTY keyboard, and that three of them that come before the digits come again after the digits. This is surely a keyboard mash made by a human with not enough entropy.
– Rosie F
Sep 5 at 15:27
It is surely significant that all but 1 of Sojdlg123aljg's 10 letters come from the same row of the QWERTY keyboard, and that three of them that come before the digits come again after the digits. This is surely a keyboard mash made by a human with not enough entropy.
– Rosie F
Sep 5 at 15:27
|
show 6 more comments
One of the misleading things about password statistics is that the most common passwords may not in fact be that common. The passwords 123456 and password are always among the top passwords, but that doesn't mean that you'll see them in the wild that much.
In 2014 I compiled the top passwords list for SplashData and wrote an article about some of the anomalies you see on password lists. In that article I wrote this:
While 123456 is indeed the most common password, that statistic is a
bit misleading. Although 0.6% of all users on my list used that
password, it’s important to remember that 99.4% of the users on my
list didn’t use that password. What is noteworthy here is that while
the top passwords are still the top passwords, the number of people
using those passwords has dramatically decreased.
and
In 2014, all it takes for a password to get on the top 1000 list is to
be used by just 0.0044% of all users.
What this means is that as more people avoid common passwords, other anomalies pop up such as accounts created by bots, hackers, or admins who assign the same default password to everyone.
This last case is one example I used:
For example, when I first ran my stats for 2014, the password lonen0
ranked as #7 in the list. Looking through the data I saw that all of
these passwords came from a single source, the Belgium company EASYPAY
GROUP, which had their data leaked in November of 2014. Looking
through the raw data it appears that lonen0 was a default password
that 10% of their users failed to set to something stronger. It’s just
10% of users from one company but that was enough to push it to the #7
most common password in my data set.
As others have pointed out, this was most likely a bot but could also have been a hacker who compromised the system. This was pretty common with paid content sites (i.e., porn) where someone would hack the site and create a bunch of accounts with different usernames and the same password. This could have been to avoid detection or to allow for tracking, but was also common for claiming certain accounts, as was very common in certain IRC channels and forums that shared passwords (i.e., forzealots or xphkrew).
answered Sep 8 at 21:29
Mark BurnettMark Burnett
2,59010 silver badges16 bronze badges
add a comment
|
One of the misleading things about password statistics is that the most common passwords may not in fact be that common. The passwords 123456 and password are always among the top passwords, but that doesn't mean that you'll see them in the wild that much.
In 2014 I compiled the top passwords list for SplashData and wrote an article about some of the anomalies you see on password lists. In that article I wrote this:
While 123456 is indeed the most common password, that statistic is a
bit misleading. Although 0.6% of all users on my list used that
password, it’s important to remember that 99.4% of the users on my
list didn’t use that password. What is noteworthy here is that while
the top passwords are still the top passwords, the number of people
using those passwords has dramatically decreased.
and
In 2014, all it takes for a password to get on the top 1000 list is to
be used by just 0.0044% of all users.
What this means is that as more people avoid common passwords, other anomalies pop up such as accounts created by bots, hackers, or admins who assign the same default password to everyone.
This last case is one example I used:
For example, when I first ran my stats for 2014, the password lonen0
ranked as #7 in the list. Looking through the data I saw that all of
these passwords came from a single source, the Belgium company EASYPAY
GROUP, which had their data leaked in November of 2014. Looking
through the raw data it appears that lonen0 was a default password
that 10% of their users failed to set to something stronger. It’s just
10% of users from one company but that was enough to push it to the #7
most common password in my data set.
As others have pointed out, this was most likely a bot but could also have been a hacker who compromised the system. This was pretty common with paid content sites (i.e., porn) where someone would hack the site and create a bunch of accounts with different usernames and the same password. This could have been to avoid detection or to allow for tracking, but was also common for claiming certain accounts, as was very common in certain IRC channels and forums that shared passwords (i.e., forzealots or xphkrew).
answered Sep 8 at 21:29
Mark BurnettMark Burnett
2,59010 silver badges16 bronze badges
add a comment
|
One of the misleading things about password statistics is that the most common passwords may not in fact be that common. The passwords 123456 and password are always among the top passwords, but that doesn't mean that you'll see them in the wild that much.
In 2014 I compiled the top passwords list for SplashData and wrote an article about some of the anomalies you see on password lists. In that article I wrote this:
While 123456 is indeed the most common password, that statistic is a
bit misleading. Although 0.6% of all users on my list used that
password, it’s important to remember that 99.4% of the users on my
list didn’t use that password. What is noteworthy here is that while
the top passwords are still the top passwords, the number of people
using those passwords has dramatically decreased.
and
In 2014, all it takes for a password to get on the top 1000 list is to
be used by just 0.0044% of all users.
What this means is that as more people avoid common passwords, other anomalies pop up such as accounts created by bots, hackers, or admins who assign the same default password to everyone.
This last case is one example I used:
For example, when I first ran my stats for 2014, the password lonen0
ranked as #7 in the list. Looking through the data I saw that all of
these passwords came from a single source, the Belgium company EASYPAY
GROUP, which had their data leaked in November of 2014. Looking
through the raw data it appears that lonen0 was a default password
that 10% of their users failed to set to something stronger. It’s just
10% of users from one company but that was enough to push it to the #7
most common password in my data set.
As others have pointed out, this was most likely a bot but could also have been a hacker who compromised the system. This was pretty common with paid content sites (i.e., porn) where someone would hack the site and create a bunch of accounts with different usernames and the same password. This could have been to avoid detection or to allow for tracking, but was also common for claiming certain accounts, as was very common in certain IRC channels and forums that shared passwords (i.e., forzealots or xphkrew).
answered Sep 8 at 21:29
Mark BurnettMark Burnett
2,59010 silver badges16 bronze badges
One of the misleading things about password statistics is that the most common passwords may not in fact be that common. The passwords 123456 and password are always among the top passwords, but that doesn't mean that you'll see them in the wild that much.
In 2014 I compiled the top passwords list for SplashData and wrote an article about some of the anomalies you see on password lists. In that article I wrote this:
While 123456 is indeed the most common password, that statistic is a
bit misleading. Although 0.6% of all users on my list used that
password, it’s important to remember that 99.4% of the users on my
list didn’t use that password. What is noteworthy here is that while
the top passwords are still the top passwords, the number of people
using those passwords has dramatically decreased.
and
In 2014, all it takes for a password to get on the top 1000 list is to
be used by just 0.0044% of all users.
What this means is that as more people avoid common passwords, other anomalies pop up such as accounts created by bots, hackers, or admins who assign the same default password to everyone.
This last case is one example I used:
For example, when I first ran my stats for 2014, the password lonen0
ranked as #7 in the list. Looking through the data I saw that all of
these passwords came from a single source, the Belgium company EASYPAY
GROUP, which had their data leaked in November of 2014. Looking
through the raw data it appears that lonen0 was a default password
that 10% of their users failed to set to something stronger. It’s just
10% of users from one company but that was enough to push it to the #7
most common password in my data set.
As others have pointed out, this was most likely a bot but could also have been a hacker who compromised the system. This was pretty common with paid content sites (i.e., porn) where someone would hack the site and create a bunch of accounts with different usernames and the same password. This could have been to avoid detection or to allow for tracking, but was also common for claiming certain accounts, as was very common in certain IRC channels and forums that shared passwords (i.e., forzealots or xphkrew).
answered Sep 8 at 21:29
Mark BurnettMark Burnett
2,59010 silver badges16 bronze badges
answered Sep 8 at 21:29
Mark BurnettMark Burnett
2,59010 silver badges16 bronze badges
answered Sep 8 at 21:29
Mark BurnettMark Burnett
2,59010 silver badges16 bronze badges
answered Sep 8 at 21:29
Mark BurnettMark Burnett
2,59010 silver badges16 bronze badges
2,59010 silver badges16 bronze badges
add a comment
|
add a comment
|
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f216567%2fwhy-is-sojdlg123aljg-a-common-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
41
One theory I've seen proposed for passwords like this is that they're passwords that are associated with bot accounts, and are heavily reused by the tools that create these accounts.
– Xander
Sep 5 at 3:55
12
I seem to remember (but can't now find) a similar question about an at-first-glance-secure password appearing on either a common-password- or passwords-to-avoid-list. IIRC, the reason was because it appeared in some popular "how to" bit of code.
– TripeHound
Sep 5 at 14:16
17
@TripeHound it's Why is Gbt3fC79ZmMEFUFJ a weak password?, also got into HNQ.
– Andrew T.
Sep 5 at 17:07
3
I've noticed that all the letters, except o, are located on the home row on the keyboard.
– stackzebra
Sep 6 at 13:51
2
Another theory (probably not for this, but for likewise) passwords might be people just searching for secure passwords online, many copy & pasting the same seemingly randomized password...
– LMD
Sep 6 at 21:05