101

I was going through the list of top 100K passwords and found Sojdlg123aljg near the top of the list. Does anyone have any idea why this is such a common password?

Rodrigo de Azevedo
  • 244
  • 2
  • 13
azoundria
  • 743
  • 2
  • 5
  • 7
  • 41
    One theory I've seen proposed for passwords like this is that they're passwords that are associated with bot accounts, and are heavily reused by the tools that create these accounts. – Xander Sep 05 '19 at 03:55
  • Related: https://security.stackexchange.com/questions/178246/why-is-monkey-a-common-password – schroeder Sep 05 '19 at 12:07
  • 12
    I seem to remember (but can't now find) a similar question about an _at-first-glance-secure_ password appearing on either a common-password- or passwords-to-avoid-list. IIRC, the reason was because it appeared in some popular "how to" bit of code. – TripeHound Sep 05 '19 at 14:16
  • 17
    @TripeHound it's [Why is Gbt3fC79ZmMEFUFJ a weak password?](https://security.stackexchange.com/questions/201210/why-is-gbt3fc79zmmefufj-a-weak-password), also got into HNQ. – Andrew T. Sep 05 '19 at 17:07
  • 3
    I've noticed that all the letters, except o, are located on the home row on the keyboard. – stackzebra Sep 06 '19 at 13:51
  • 2
    Another theory (probably not for this, but for likewise) passwords might be people just *searching* for secure passwords online, many copy & pasting the same seemingly randomized password... – LMD Sep 06 '19 at 21:05
  • 2
    @LMD: Ha: that's just like https://xkcd.com/221/ then! *If "4" was random that time, it will be again.* Likewise, *this good password I found must always be good!* – Vandermonde Sep 07 '19 at 18:05
  • FYI, if you want to actually search the web for this, Stack Exchange sites flood the results thanks to the "related" sidebar. Search for `Sojdlg123aljg -stack.exchange` to avoid that. (Use the internal Stack Exchange search feature to search this site.) – Adam Katz Sep 27 '19 at 22:15

3 Answers3

126

One of the most logical explanations is that those accounts were associated with a bot. Same goes for password like 18atcskd2w.

Graham Cluley wrote an article about this: So, Just Why Is 18atcskd2w Such a Popular Password?

Can so many people really be choosing to protect their online accounts with the same, seemingly random choice of “18atcskd2w”, “3rjs1la7qe,” or “q0tsrbv488”?

The answer, of course, is no. People are not choosing those passwords.

Yes, those credentials can be found amongst the stolen data, and those passwords are being used on many tens of thousands of accounts, but it wasn’t a human being who chose that password. It was a computer.

Human brains were responsible for choosing passwords like “123456”, “password,” and “qwerty.” But there is no way that 91,103 people independently chose to secure their accounts with “18atcskd2w.”

Instead, what I believe happened is that these accounts were created by bots, perhaps with the intention of posting spam onto the forums.

Edit:

Ok, I went to check some of records ("dumps") from breached websites:

ilerrhyc@qgjkwntm.com:18atcskD2W
lprfzoyj@aboriaqk.com:18atcskD2W
ytjcvfhx@erbnxkjx.com:18atcskD2W
imuudluz@qsldpvlx.com:18atcskD2W
rrrowvvn@gdcufxsg.com:18atcskD2W
kixtigma@snjkuxjh.com:18atcskD2W

I'm pretty sure that those passwords were associated with bot, but funny thing is that attacker used random username with random-non-existing domain, but non-random password.

Mirsad
  • 10,075
  • 8
  • 33
  • 54
  • 173
    So computers are just as bad at password reuse as people :) – Conor Mancone Sep 05 '19 at 11:14
  • 6
    The first thought that came to mind is that one of these may be a simple transformation of an otherwise common password, aka `rot_13('password')`. However, I think this is a much more likely reason. – Conor Mancone Sep 05 '19 at 11:14
  • An other reason for some of these weird passwords is keyboard layout. In some countries they have significantly different keyboard layouts so just typing the first row of characters might produce what looks like a random password to an English speaker. – Giacomo Alzetta Sep 05 '19 at 11:42
  • 14
    @ConorMancone Well, no. The script that creates the spam accounts was written by a person, so it's still a person responsible for the password reuse. Of course, account security isn't exactly a concern for a throwaway account that's probably going to be locked/deleted shortly after creation and doesn't contain any real information to be exposed even if it *is* compromised. – Anthony Grist Sep 05 '19 at 11:49
  • 2
    _"Hey, let's implement a secure password generator for our bots, but only invoke it a single time ... for all the bots!"_ While that's most likely not what exactly happened it's a fun thought, though. – Num Lock Sep 05 '19 at 11:49
  • 1
    @NumLock I think he meant, if it's a simple transformation, multiple different people might think about using this same transformation with the same password. – Xavier59 Sep 05 '19 at 11:50
  • 3
    @NumLock Or an application of the KISS principle. If you just hardcode the passwords for the accounts created by your spam program, you have one less data point you need to keep track of. And making it a strong password avoids triggering password complexity checks, so one less error condition to handle. – Philipp Sep 05 '19 at 12:07
  • @Xavier59 yes, that is what I was saying. My first comment was just a joke. My other guess was that these passwords are actually "low entropy" passwords, they are just disguised by some common translation. That is basically what the other answer suggests (with a source too!), so maybe my thought wasn't crazy. Still, I think this answer is probably the explanation more often. – Conor Mancone Sep 05 '19 at 13:12
  • 8
    @NumLock https://xkcd.com/221/ – Michael Sep 05 '19 at 13:50
  • 33
    *funny thing is that attacker used random username with random-non-existing domain, but non-random password* likely because usernames are checked for duplication, but passwords are not. There's no motivation to generate unique passwords, but there is a rule that stops you from re-using usernames. – dwizum Sep 05 '19 at 17:55
  • 2
    Is it possible these are simply the result of a hash collision with some more obvious password? If the passwords are stored with a not-very-sophisticated hash, it's possible that multiple strings would hash to the same value, and only one of them results in something readable like "mypassword" while the others just look like gibberish... – Darrel Hoffman Sep 05 '19 at 19:19
  • @DarrelHoffman: That's a clever idea, but I don't think it could make the top 100k that way, because HIBP records span *many* breaches. – ruakh Sep 05 '19 at 20:53
  • @Andrew except that should be impossible with proper password management, you cannot scan a database for duplicate passwords if they only exist in salted hash form. – ratchet freak Sep 06 '19 at 09:55
  • 1
    @ratchetfreak Yeah, my suggestion of hash collision would only work if they were stored as un-salted hashes, which is bad practice of course, but still sadly all too common. – Darrel Hoffman Sep 06 '19 at 13:15
  • @DarrelHoffman The ability to work from "I know that these 6 accounts all have the same password" can provide *some* information, even with Salted Hashes. – Chronocidal Sep 06 '19 at 15:59
  • 3
    For hackers, reusing the same password can be useful to reveal details about how passwords are stored, which can be helpful to crack the rest or identify the level of security used. For example, 1) if hashes match for the same password, it means they are using a hash algorithm without salt (like md5, sha); 2) They may have a hash dictionary for that password (if any hash matches, they know what algorithm they are using); 3) The more the accounts they create with the same password, could help to crack the pepper value (specially if the username is used to generate the hash), etc.; – lepe Sep 07 '19 at 04:45
106

Another possibility : Sojdlg123aljg is latin characters translation from another alphabet.

For instance, a common password "ji32k7au4a83" is from mandarin "我的密碼", meaning "my password" (source).

Using this online keyboard, you can validate that typing successively j-i-3 maps to 我. However it does not works for Soj... So either it is a different language, or the other answer is right.

Lou_is
  • 801
  • 1
  • 4
  • 14
  • 3
    I tried to do a translation using the linked method and I could not figure out a way to do it. It might be nice if someone with one of those keyboards could run a test to confirm for Chinese, if nothing else. – schroeder Sep 05 '19 at 12:39
  • 9
    I am from mainland China and I have no clue how `ji32k7au4a83` could become `我的密碼` – Siyu Sep 05 '19 at 12:50
  • 25
    Hey, look at that. Very clever lateral thinking. – Monica Apologists Get Out Sep 05 '19 at 13:04
  • 1
    One comment though: `我的密碼` is strictly speaking not mandarin (simplified Chinese), it is tradition Chinese commonly used in Hongkang and Taiwan. – Siyu Sep 05 '19 at 13:20
  • 4
    @Siyu It's a *transliteration*, not a *translation*, which is what you are probably thinking of –  Sep 05 '19 at 13:55
  • 17
    It is surely significant that all but 1 of Sojdlg123aljg's 10 letters come from the same row of the QWERTY keyboard, and that three of them that come before the digits come again after the digits. This is surely a keyboard mash made by a human with not enough entropy. – Rosie F Sep 05 '19 at 15:27
  • 1
    @RosieF Now you're making me wonder if it could be music-related, a transfer from a piano keyboard to a computer keyboard. But it doesn't seem to correspond to any familiar melody at a quick first try. – Jeff Y Sep 05 '19 at 17:55
  • 3
    Another thing to consider is things like Little-endian vs. Big-endian, order of bytes, order of bits within bytes, etc. https://en.wikipedia.org/wiki/Endianness – Andrew Sep 05 '19 at 17:56
  • 3
    @Siyu: "Mandarin" refers to a specific Chinese language, regardless of whether that language is written in simplified characters (as is common on the mainland) or in traditional characters (as is common in Hong Kong and Taiwan). – ruakh Sep 05 '19 at 20:48
  • @RosieF Maybe, maybe not. That's the issue with randomness and human tendency to look for patterns. For the random password `18atcskd2w` mentioned in the other answer, all but one of the letters used are ones you type with your left hand on a qwerty keyboard. That doesn't make me think it wasn't necessarily randomly generated though. – Kimball Sep 06 '19 at 12:20
  • 1
    I'm from Russia and I often use combinations of Russian words on English input mode for passwords. This strikes back on mobile tho... – val is still with Monica Sep 07 '19 at 08:10
5

One of the misleading things about password statistics is that the most common passwords may not in fact be that common. The passwords 123456 and password are always among the top passwords, but that doesn't mean that you'll see them in the wild that much.

In 2014 I compiled the top passwords list for SplashData and wrote an article about some of the anomalies you see on password lists. In that article I wrote this:

While 123456 is indeed the most common password, that statistic is a bit misleading. Although 0.6% of all users on my list used that password, it’s important to remember that 99.4% of the users on my list didn’t use that password. What is noteworthy here is that while the top passwords are still the top passwords, the number of people using those passwords has dramatically decreased.

and

In 2014, all it takes for a password to get on the top 1000 list is to be used by just 0.0044% of all users.

What this means is that as more people avoid common passwords, other anomalies pop up such as accounts created by bots, hackers, or admins who assign the same default password to everyone.

This last case is one example I used:

For example, when I first ran my stats for 2014, the password lonen0 ranked as #7 in the list. Looking through the data I saw that all of these passwords came from a single source, the Belgium company EASYPAY GROUP, which had their data leaked in November of 2014. Looking through the raw data it appears that lonen0 was a default password that 10% of their users failed to set to something stronger. It’s just 10% of users from one company but that was enough to push it to the #7 most common password in my data set.

As others have pointed out, this was most likely a bot but could also have been a hacker who compromised the system. This was pretty common with paid content sites (i.e., porn) where someone would hack the site and create a bunch of accounts with different usernames and the same password. This could have been to avoid detection or to allow for tracking, but was also common for claiming certain accounts, as was very common in certain IRC channels and forums that shared passwords (i.e., forzealots or xphkrew).

Mark Burnett
  • 2,810
  • 13
  • 16