The reason why 'ji32k7au4a83' is a common and terrible password

It may seem complex but the password is excruciatingly simple.
Written by Charlie Osborne, Contributing Writer

At first glance, "ji32k7au4a83" seems a step up from today's most common and insecure passwords such as "password1" or the infamous "qwerty12345".

The random placement of letters and numbers could easily lead you to believe that the password has been crafted by an automatic system -- such as complex password generators in browsers or by a dedicated password manager -- but "ji32k7au4a83" shows up far more than you would expect as a preferred password in online accounts.

See also: Exposed Docker hosts can be exploited for cryptojacking attacks

Troy Hunt's HaveIBeenPwned, a search engine which allows you to find out whether or not your credentials have been leaked in a data breach, revealed that "ji32k7au4a83" has appeared in 141 data breaches to date, as reported by Gizmodo.

Robert Ou, a software engineer, spotted the trend and asked his Twitter followers why this particular password was appearing time after time, especially considering how random and complex it appeared to be.


Also: FBI chief says US law enforcement will keep indicting foreign hackers CNET

The challenge was issued and it was not long before an answer was found: in a different language, "ji32k7au4a83" translated into a password of such simplicity it was enough to make security pundits groan.

The reason begins with a Bopomofo keyboard, used in areas including Taiwan for translating Unicode-supported phonetic symbols used in languages such as Mandarin.

The most common way for the Taiwanese to type out Chinese characters is by using a Zhuyin Fuhao layout on such a keyboard, in which the picture string "我的密碼" is decoded into "ji32k7au4a83" which translates to "my password" in English.

At first glance, "ji32k7au4a83" appears as a mystifying string of gibberish, but the lesson here is simple: lax account security can appear in any language. 

It is always advisable to use complex strings of numbers, letters, capitals, and symbols -- when allowed -- in online accounts. If you have use more than a handful of online services, remembering complicated credentials can be difficult, and so using a password manager or vault is recommended.

Also: Insider cyberthreats in government agencies hit all-time high, report says TechRepublic

A recent report on the security posture of today's most popular password managers, including 1Password, Dashlane, KeePass and LastPass found that security in these programs themselves can be lacking if machines are compromised. 

However, on balance of risk, it is still infinitely preferable to make sure your online accounts are as locked-down and secure as possible, given that online accounts are at far more risk of exploit than a password manager on an already malware-laden machine. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards