Home » Toyota’s Passwords Are Always Strong Enough: COTD

Toyota’s Passwords Are Always Strong Enough: COTD

Beesforkstop
ADVERTISEMENT

This morning, Lewin taught us a weird fact about people on the Internet. A lot of folks have really bad vehicle-themed passwords. Bad passwords are hardly a new thing, but it’s amusing to look past “123456,” “password,” “baseball,” and other really silly passwords to see what car fans use to secure their lives with. I can’t believe there’s a non-zero chance someone is securing a bank account with “letmein” or “michael.”

As an avgeek, I felt compelled to see if anyone is using aviation-themed passwords, and sure enough, plane passwords are in the top 10,000. “Cessna” touches down at #1348 while “Boeing” performs a low-flying pass at #1977. Speaking of flying, possibly unimaginative pilots have ensured “flying” a #3429 spot in line for take off. Chances are you could get into a pilot’s account somewhere by typing in the #3048 most common password: Pilot. Don’t worry, you side-stick-loving Airbus pilots, for your brand takes the #3599 spot. Sorry Bombardier pilots, your brand is just too complex to be top 10,000.

Vidframe Min Top
Vidframe Min Bottom

Ok, back to the cars, “BMW325” comes up as #6421, and for those of you who aren’t 3 Series owners there’s “BMWBMW” coming in at #9158. Audi shows up twice, with the brand coming in at #6985 and the “AudiTT” taking the #8661 spot. Looks like I’m safe, maybe Buell never sold enough units to become a popular password.

Also, to Matt Hardigree, the Astros come up as #2631 while the Yankees are #95. I told you the Yankees are better! Wait…

Anyway, Toyota’s password game is clearly on point, as COTD winner V10omous points out:

ADVERTISEMENT

On the flip side of this, Toyota clearly used the “pick my password for me” tool when coming up with the name of the bZ4X.

Nobody is going to guess the Bees Forks! Lotsofchops offers a password even you won’t remember:

You can use car names, you just gotta go upmarket for the good choices. LandRoverRangeRoverEvoque2.0TD4E-Capability4x4HSEDynamic.
LamborghiniAventadorLP750-4SuperveloceRoadster.
Boom! Instant security.

Jack Trade also made me giggle:

Please tell me Camero is right up there for Craigslist account passwords…

Well, “Camero” takes the #7559 spot and I have so many questions. None of them will be answered.

Screenshot (736)

 

ADVERTISEMENT

Before I started writing about cars, I used to be an IT jockey. When I wasn’t writing Java, I was helping people fix broken computers. I’ve lost count of how many people compromised their machines by getting caught up in a phishing scam. Having a decent password (and not having it sticky-noted to your computer screen) is a good first line of defense, but a lot of problems are caused not by someone cracking your password, but you inadvertently giving a bad actor your information.

Something I’ve always told past clients was this: If you receive an email that seems sketchy, always be sure to check the sending address. For example, PayPal isn’t going to send you an email from “paypal6709@gmail.com” or something like that. Your bank isn’t operating from an @yahoo.com address. Likewise, the IRS isn’t going to contact you through Facebook, any other social media account, or through your email.

If you’ve checked the email address and you’re still concerned, an easy workaround would be to close the email and then go directly to the site in question (do not click on any link in that email). If there’s something truly wrong you should be able to find it in your account.

Be safe, and have a great evening!

Share on facebook
Facebook
Share on whatsapp
WhatsApp
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on reddit
Reddit
Subscribe
Notify of
35 Comments
Inline Feedbacks
View all comments
Martin Ibert
Martin Ibert
11 months ago

Just as an aside, the German tax administration will send you e-mails. Very specific ones, but they will actually e-mail you on occasion.

Starhawk
Starhawk
11 months ago

Friendly Neighborhood Nerd here. I have a very simple set of rules about passwords and logins.

If I can avoid generating a login to begin with, I do.
If I absolutely cannot avoid generating a login, and the service or product being offered is something I can live without, unless the login generator allows xkcd-936 compilant password generation, or is for something so trivial that I genuinely don’t care (eg web forums and website commentary), I walk away.
If all else fails, I do my best, and actively promote xkcd-936 password compliance as best I can.

Ecsta C3PO
Ecsta C3PO
11 months ago
Reply to  Starhawk

How many people on that list used correcthorsebatterystaple though?

Lotsofchops
Lotsofchops
11 months ago

Finally, the recognition I deserve.

OrigamiSensei
OrigamiSensei
11 months ago

Your main protection in passwords is length. Hackers have the encrypted hash string (at least for MD5, a common hash scheme) for every password up to eight characters. Thus, if they are able to hack a company and get a password hash file they can reverse engineer it with a simple search before they even try to log into your account. As a result it doesn’t matter much how “good” your password is until you get over eight letters. Longer strings of easily remembered words or characters will offer the best combination of security and ease of use. For instance, my WiFi password is 26 characters but it’s super easy for me to remember.

Data
Data
11 months ago
Reply to  OrigamiSensei

abcdefghijklmnopqrstuvwxyz is not a secure password.

OrigamiSensei
OrigamiSensei
11 months ago
Reply to  Data

lulz, but it’s a bit different from that.

Unimaginative Username
Unimaginative Username
11 months ago
Reply to  OrigamiSensei

Obligatory – https://xkcd.com/936/

Ben
Ben
11 months ago
Reply to  OrigamiSensei

(at least for MD5, a common hash scheme)

If anyone’s using MD5 for passwords they should have their computer taken away and be banned from writing software ever again.

Proper password salting* avoids the rainbow tables (the technical name for that list of password hashes) vulnerability, but there are a lot of security-ignorant web devs out there so you can’t count on that.

*: Which is basically just adding a site-specific string to the password before hashing it. That way even if someone has the hash for the password “bz4x”, they probably don’t have the hash for “bz4xautopian.com”.

Mr Sarcastic
Mr Sarcastic
11 months ago

I worry that the same source that knows how many people use these commonly used passwords is a great source to hack and steal people’s information.

FuzzyPlushroom
FuzzyPlushroom
11 months ago

Gotta go upmarket, indeed. Toyota rightly didn’t bother to spend the money to give my car a trim level, and here in the US (and Canada, I believe) it didn’t even get the proud li’l VVT-i badge.

At least Yaris has an additional character (plus an additional glove box) over Echo and isn’t a common dictionary word.

Last edited 11 months ago by FuzzyPlushroom
Not Sure
Not Sure
11 months ago

I’ve all ways found that scamers are easy to spot.
Maybe it’s just because I’m an obssesive pendant.
There’s all ways something obvously wierd about the wording and spelling in the email.

Last edited 11 months ago by Not Sure
Dolsh
Dolsh
11 months ago
Reply to  Not Sure

It honestly depends on the target. Scammers are capable of using pixel and grammar perfect emails if it gets what they need. The typical poor grammar scam messages tend to target folks that won’t fight back.

Chronometric
Chronometric
11 months ago
Reply to  Not Sure

I will assume that “obsessive pendant” is a subtle joke and not an unfortunately placed misspelling.

D-dub
D-dub
11 months ago
Reply to  Chronometric

Keep reading, they’re not being subtle.

Balloondoggle
Balloondoggle
11 months ago
Reply to  Not Sure

I see what you’ve done here. Now, turn control of the commenter account back over to the commenter. Please.

V10omous
V10omous
11 months ago

Thanks to the Academy, et al.

Needed the pick me up.

Thought I had a deal today on a Z06 when a dealer with NO MARKET ADJUSTMENTS all over their website told me they had an order slot available. Only to find that NO MARKET ADJUSTMENTS seems to actually mean MARKET ADJUSTMENTS WHEN WE FEEL LIKE IT.

The search continues.

Goof
Goof
11 months ago
Reply to  V10omous

Likely actual conversation:

V10omous: Your website says no market adjustments.
Dealer: It’s not a market adjustment. It’s a dealer adjustment.

I wish I was kidding.

V10omous
V10omous
11 months ago
Reply to  Goof

I was a bit more snarky than that, and they tried saying it was a “limited production vehicle”, which is a lie.

I said I’m very interested in working with an honest dealer and not very interested in bait and switch.

Time is on my side. Cars with adjustments are sitting.

OrigamiSensei
OrigamiSensei
11 months ago
Reply to  V10omous

Lol – I mean by some definition ALL cars, even Camrys and F-150s, are limited production vehicles.

PaysOutAllNight
PaysOutAllNight
11 months ago
Reply to  V10omous

Please, for the community, name and shame these dealers.

V10omous
V10omous
11 months ago

I debated doing that last night, and your comment has tipped me over the edge.

Apple Chevrolet in Tinley Park, IL.

I cannot in good conscience recommend anyone purchase a vehicle from them for as long as this false advertising lasts.

Goof
Goof
11 months ago
Reply to  V10omous

It’s a Z06. It’ll pass. They’ll be making them another 3-4 years still.

Meanwhile I’m being patient on the Spyder RS front. ADMs have come down from 75->40 already, and I expect it to drop further as the “flip window” closes. I’m being patient, but I’ve identified all my local competitors. I know who I’m up against, and that I’m a nobody in a big lake.

Though I’m not too worried as it seems every US store will get 2-3. I put in a “heavy” build, agreed to buy a 911 S/T transaxle from the dealer (for the future manual swap), and I’m known to drive my cars in outlandish conditions, so I’m being patient… though may offer to buy the dealer’s unsold (how?!?!) 911 Dakar as an interim “bridge car” if the numbers work.

V10omous
V10omous
11 months ago
Reply to  Goof

may offer to buy the dealer’s unsold (how?!?!) 911 Dakar as an interim “bridge car” if the numbers work.

If you do buy it, I hope you give us a review here.

Goof
Goof
11 months ago
Reply to  V10omous

That’s the thing, I won’t be able to.

So as a “bridge car” the intent is I trade my Spyder to the dealer, they make some money on that, and they get most of their usual front end on the Dakar. Then the Dakar gets traded in for the Spyder RS. The intent is the dealer gets trade and front end money on the first deal, which is functionally a reasonable ADM, and gets to sell the Dakar at least twice. I would intend to come out of it basically neutral. Everyone basically wins. Basically how Ferrari dealers stay afloat.

The problem is since I’m basically “holding a 911 Dakar” for the next buyer, I won’t paint correct and PPF it to keep my costs close to zero. It’ll mostly sit. It’ll be yet another rare-ish Porsche with no miles sold used, because a lot of them are bridge cars.

If I actually bought it to use? Pffft. I’d be all over dirt roads in northern Vermont and Maine like it was an Evo. Though I’ve driven 992 GT3s and they’re way too refined for me aside from them following road crowns more than previous ones. It’d be “neat” but I don’t think I’d love it. It’s not dumb enough, which the SRS is.

To use my favorite quote, “it would be better if it were a bit worse.”

Last edited 11 months ago by Goof
V10omous
V10omous
11 months ago
Reply to  Goof

I guess I don’t understand the process.

You trade the Sypder in, buy the Dakar, pay taxes on it, don’t drive it, and trade it for the RS.

For it to make sense for you, the dealer must be paying you more than you paid initially for the Dakar, with the intention of selling it even higher than that. Otherwise, why not just trade the Spyder for the RS?

Maybe I’m ignorant, but I wouldn’t think a Dakar would be something Porsche dealers would require their customers to take in order to get the RS cars. Like how Ferrari made customers take Californias if they wanted 458s or whatever it was. Presumably they would make you take a couple Cayennes instead.

But if they can’t sell the Dakar now new for $X, how are they going to sell it later used for $X+$Y?

Goof
Goof
11 months ago
Reply to  V10omous

There’s built in profit to the MSRP. They sell it to me as close to that number as they can, and capture that bit of profit. They later then can sell it as a used car after it’s traded in, which lets them sell it a bit above MSRP (whatever market is), making more on it again. All without, “charging ADM.”

This is par for the course for Ferrari, but most used ones aren’t sold above list — it’s just making a bit of money on each sale, though deprecation is a real factor there that helps the dealer. A typical mid-engine Ferrari is sold 4 to 6 times before it finds its final home! It’s how Ferrari dealers survive, because they don’t get enough cars to sell to have a good business.

There’s a demand lag on these kinds of cars, because only a few enthusiasts are jumping on them. It’s a whole later before the general spends public realizes they exist.

Yet also, there really is only so much demand for them. Cars are limited in number for a reason – they genuinely have a hard enough time selling them all sometimes. Again, unsold 911 Dakar at the dealer I’m working with, in a major US metro. This is reality. Though the 991.2 GT2 RS was way, way worse. Those were much rarer and dealers were desperate to get rid of them here in the US.

Last edited 11 months ago by Goof
V10omous
V10omous
11 months ago
Reply to  Goof

Does Porsche crack down on dealers selling above MSRP?

I know it’s strictly banned at Ferrari, which is part of why they play these silly games, but I thought Porsche dealers could basically do what they wanted, like Chevy dealers are trying to do to me.

If they can’t, this process makes a lot more sense to me.

Goof
Goof
11 months ago
Reply to  V10omous

Regarding, “why not trade your Spyder for the Spyder RS directly”: Because without a bridge car, I may not ever get a Spyder RS allocation. ~750 expected US cars. This is WAY harder than getting a Z08 Z06 because even though buyers are way lower, so are available units. A bridge car is a way to “play the game” way cheaper than ADM. Yes, sales tax, but I get most of that back on the 2nd trade because of sales tax credit. There’s a carrying cost, but it’s a lot lower than just paying ADM (and the taxes on the higher sale price).

———

Ferrari frowns on it, but it happens in markets. However outside of the very famous, the path to get a new hot Ferrari is to buy a lot of used ones first. Or ones you don’t want. The “every car sold 4-6 times” in action.

Porsche frowns upon it, but it absolutely happens. Some markets Porsche looks the other way, because you have customers willing to take a bath on a car. I’m not in one of those markets.

Yet that’s for new cars. Used cars? Porsche turns a blind eye. They limited the production for a reason and know sometimes cars can be extremely hard to move.

Hell, after the GFC, some Cayman Rs and OG Spyders took FIVE YEARS to sell. Those were like $70-90K cars. But the ones with carbon seats and some specced with no AC by the dealer were floor plan poison, and they SAT. Only 891 US Spyders and a similar number of Cayman Rs and they still took 5 years for all to sell through! Manufacturers limit production for a reason!

Last edited 11 months ago by Goof
VanGuy
VanGuy
11 months ago

Wasn’t there some car in the last decade that had “The next 100 years” in its official model name or something?

10001010
10001010
11 months ago

I’m also going to go ahead and add that your CEO is not going to ask you to buy gift cards for a client. I don’t know you personally or professionally but I’m pretty confident in stating that you are NOT that person. Please just mark that email as spam and delete it.

Balloondoggle
Balloondoggle
11 months ago
Reply to  10001010

My wife actually got caught on that one because she works directly for the CEO and she IS that person. Luckily, they figured it out before the purchased cards left her control and the agency had legitimate uses for them so it worked out okay, but now she is VERY careful about phishing.

Last edited 11 months ago by Balloondoggle
10001010
10001010
11 months ago
Reply to  Balloondoggle

Our CEO’s assistant is the only person in that position. She knows to verify such requests outside of email/text.

Mr Sarcastic
Mr Sarcastic
11 months ago
Reply to  10001010

My last company designed a feature in our mail system that has a link in the dashboard to report questionable emails.

Pupmeow
Pupmeow
11 months ago
Reply to  Mr Sarcastic

We have that too. I always feel like the smartest kid in the room when I click it.

We also have a button that will send emails right to the trash bin. I always click it when someone sends me an email asking if I have “had a chance to read their earlier email.”

35
0
Would love your thoughts, please comment.x
()
x