Toyota’s Passwords Are Always Strong Enough: COTD

Beesforkstop
ADVERTISEMENT

This morning, Lewin taught us a weird fact about people on the Internet. A lot of folks have really bad vehicle-themed passwords. Bad passwords are hardly a new thing, but it’s amusing to look past “123456,” “password,” “baseball,” and other really silly passwords to see what car fans use to secure their lives with. I can’t believe there’s a non-zero chance someone is securing a bank account with “letmein” or “michael.”

As an avgeek, I felt compelled to see if anyone is using aviation-themed passwords, and sure enough, plane passwords are in the top 10,000. “Cessna” touches down at #1348 while “Boeing” performs a low-flying pass at #1977. Speaking of flying, possibly unimaginative pilots have ensured “flying” a #3429 spot in line for take off. Chances are you could get into a pilot’s account somewhere by typing in the #3048 most common password: Pilot. Don’t worry, you side-stick-loving Airbus pilots, for your brand takes the #3599 spot. Sorry Bombardier pilots, your brand is just too complex to be top 10,000.

Ok, back to the cars, “BMW325” comes up as #6421, and for those of you who aren’t 3 Series owners there’s “BMWBMW” coming in at #9158. Audi shows up twice, with the brand coming in at #6985 and the “AudiTT” taking the #8661 spot. Looks like I’m safe, maybe Buell never sold enough units to become a popular password.

Also, to Matt Hardigree, the Astros come up as #2631 while the Yankees are #95. I told you the Yankees are better! Wait…

Anyway, Toyota’s password game is clearly on point, as COTD winner V10omous points out:

On the flip side of this, Toyota clearly used the “pick my password for me” tool when coming up with the name of the bZ4X.

Nobody is going to guess the Bees Forks! Lotsofchops offers a password even you won’t remember:

You can use car names, you just gotta go upmarket for the good choices. LandRoverRangeRoverEvoque2.0TD4E-Capability4x4HSEDynamic.
LamborghiniAventadorLP750-4SuperveloceRoadster.
Boom! Instant security.

Jack Trade also made me giggle:

Please tell me Camero is right up there for Craigslist account passwords…

Well, “Camero” takes the #7559 spot and I have so many questions. None of them will be answered.

Screenshot (736)

 

Before I started writing about cars, I used to be an IT jockey. When I wasn’t writing Java, I was helping people fix broken computers. I’ve lost count of how many people compromised their machines by getting caught up in a phishing scam. Having a decent password (and not having it sticky-noted to your computer screen) is a good first line of defense, but a lot of problems are caused not by someone cracking your password, but you inadvertently giving a bad actor your information.

Something I’ve always told past clients was this: If you receive an email that seems sketchy, always be sure to check the sending address. For example, PayPal isn’t going to send you an email from “paypal6709@gmail.com” or something like that. Your bank isn’t operating from an @yahoo.com address. Likewise, the IRS isn’t going to contact you through Facebook, any other social media account, or through your email.

If you’ve checked the email address and you’re still concerned, an easy workaround would be to close the email and then go directly to the site in question (do not click on any link in that email). If there’s something truly wrong you should be able to find it in your account.

Be safe, and have a great evening!

About the Author

View All My Posts

35 thoughts on “Toyota’s Passwords Are Always Strong Enough: COTD

  1. Friendly Neighborhood Nerd here. I have a very simple set of rules about passwords and logins.

    If I can avoid generating a login to begin with, I do.
    If I absolutely cannot avoid generating a login, and the service or product being offered is something I can live without, unless the login generator allows xkcd-936 compilant password generation, or is for something so trivial that I genuinely don’t care (eg web forums and website commentary), I walk away.
    If all else fails, I do my best, and actively promote xkcd-936 password compliance as best I can.

  2. Your main protection in passwords is length. Hackers have the encrypted hash string (at least for MD5, a common hash scheme) for every password up to eight characters. Thus, if they are able to hack a company and get a password hash file they can reverse engineer it with a simple search before they even try to log into your account. As a result it doesn’t matter much how “good” your password is until you get over eight letters. Longer strings of easily remembered words or characters will offer the best combination of security and ease of use. For instance, my WiFi password is 26 characters but it’s super easy for me to remember.

    1. (at least for MD5, a common hash scheme)

      If anyone’s using MD5 for passwords they should have their computer taken away and be banned from writing software ever again.

      Proper password salting* avoids the rainbow tables (the technical name for that list of password hashes) vulnerability, but there are a lot of security-ignorant web devs out there so you can’t count on that.

      *: Which is basically just adding a site-specific string to the password before hashing it. That way even if someone has the hash for the password “bz4x”, they probably don’t have the hash for “bz4xautopian.com”.

  3. I worry that the same source that knows how many people use these commonly used passwords is a great source to hack and steal people’s information.

  4. Gotta go upmarket, indeed. Toyota rightly didn’t bother to spend the money to give my car a trim level, and here in the US (and Canada, I believe) it didn’t even get the proud li’l VVT-i badge.

    At least Yaris has an additional character (plus an additional glove box) over Echo and isn’t a common dictionary word.

  5. I’ve all ways found that scamers are easy to spot.
    Maybe it’s just because I’m an obssesive pendant.
    There’s all ways something obvously wierd about the wording and spelling in the email.

    1. It honestly depends on the target. Scammers are capable of using pixel and grammar perfect emails if it gets what they need. The typical poor grammar scam messages tend to target folks that won’t fight back.

  6. Thanks to the Academy, et al.

    Needed the pick me up.

    Thought I had a deal today on a Z06 when a dealer with NO MARKET ADJUSTMENTS all over their website told me they had an order slot available. Only to find that NO MARKET ADJUSTMENTS seems to actually mean MARKET ADJUSTMENTS WHEN WE FEEL LIKE IT.

    The search continues.

    1. Likely actual conversation:

      V10omous: Your website says no market adjustments.
      Dealer: It’s not a market adjustment. It’s a dealer adjustment.

      I wish I was kidding.

      1. I was a bit more snarky than that, and they tried saying it was a “limited production vehicle”, which is a lie.

        I said I’m very interested in working with an honest dealer and not very interested in bait and switch.

        Time is on my side. Cars with adjustments are sitting.

      1. I debated doing that last night, and your comment has tipped me over the edge.

        Apple Chevrolet in Tinley Park, IL.

        I cannot in good conscience recommend anyone purchase a vehicle from them for as long as this false advertising lasts.

        1. It’s a Z06. It’ll pass. They’ll be making them another 3-4 years still.

          Meanwhile I’m being patient on the Spyder RS front. ADMs have come down from 75->40 already, and I expect it to drop further as the “flip window” closes. I’m being patient, but I’ve identified all my local competitors. I know who I’m up against, and that I’m a nobody in a big lake.

          Though I’m not too worried as it seems every US store will get 2-3. I put in a “heavy” build, agreed to buy a 911 S/T transaxle from the dealer (for the future manual swap), and I’m known to drive my cars in outlandish conditions, so I’m being patient… though may offer to buy the dealer’s unsold (how?!?!) 911 Dakar as an interim “bridge car” if the numbers work.

          1. may offer to buy the dealer’s unsold (how?!?!) 911 Dakar as an interim “bridge car” if the numbers work.

            If you do buy it, I hope you give us a review here.

            1. That’s the thing, I won’t be able to.

              So as a “bridge car” the intent is I trade my Spyder to the dealer, they make some money on that, and they get most of their usual front end on the Dakar. Then the Dakar gets traded in for the Spyder RS. The intent is the dealer gets trade and front end money on the first deal, which is functionally a reasonable ADM, and gets to sell the Dakar at least twice. I would intend to come out of it basically neutral. Everyone basically wins. Basically how Ferrari dealers stay afloat.

              The problem is since I’m basically “holding a 911 Dakar” for the next buyer, I won’t paint correct and PPF it to keep my costs close to zero. It’ll mostly sit. It’ll be yet another rare-ish Porsche with no miles sold used, because a lot of them are bridge cars.

              If I actually bought it to use? Pffft. I’d be all over dirt roads in northern Vermont and Maine like it was an Evo. Though I’ve driven 992 GT3s and they’re way too refined for me aside from them following road crowns more than previous ones. It’d be “neat” but I don’t think I’d love it. It’s not dumb enough, which the SRS is.

              To use my favorite quote, “it would be better if it were a bit worse.”

              1. I guess I don’t understand the process.

                You trade the Sypder in, buy the Dakar, pay taxes on it, don’t drive it, and trade it for the RS.

                For it to make sense for you, the dealer must be paying you more than you paid initially for the Dakar, with the intention of selling it even higher than that. Otherwise, why not just trade the Spyder for the RS?

                Maybe I’m ignorant, but I wouldn’t think a Dakar would be something Porsche dealers would require their customers to take in order to get the RS cars. Like how Ferrari made customers take Californias if they wanted 458s or whatever it was. Presumably they would make you take a couple Cayennes instead.

                But if they can’t sell the Dakar now new for $X, how are they going to sell it later used for $X+$Y?

                1. There’s built in profit to the MSRP. They sell it to me as close to that number as they can, and capture that bit of profit. They later then can sell it as a used car after it’s traded in, which lets them sell it a bit above MSRP (whatever market is), making more on it again. All without, “charging ADM.”

                  This is par for the course for Ferrari, but most used ones aren’t sold above list — it’s just making a bit of money on each sale, though deprecation is a real factor there that helps the dealer. A typical mid-engine Ferrari is sold 4 to 6 times before it finds its final home! It’s how Ferrari dealers survive, because they don’t get enough cars to sell to have a good business.

                  There’s a demand lag on these kinds of cars, because only a few enthusiasts are jumping on them. It’s a whole later before the general spends public realizes they exist.

                  Yet also, there really is only so much demand for them. Cars are limited in number for a reason – they genuinely have a hard enough time selling them all sometimes. Again, unsold 911 Dakar at the dealer I’m working with, in a major US metro. This is reality. Though the 991.2 GT2 RS was way, way worse. Those were much rarer and dealers were desperate to get rid of them here in the US.

                  1. Does Porsche crack down on dealers selling above MSRP?

                    I know it’s strictly banned at Ferrari, which is part of why they play these silly games, but I thought Porsche dealers could basically do what they wanted, like Chevy dealers are trying to do to me.

                    If they can’t, this process makes a lot more sense to me.

                    1. Regarding, “why not trade your Spyder for the Spyder RS directly”: Because without a bridge car, I may not ever get a Spyder RS allocation. ~750 expected US cars. This is WAY harder than getting a Z08 Z06 because even though buyers are way lower, so are available units. A bridge car is a way to “play the game” way cheaper than ADM. Yes, sales tax, but I get most of that back on the 2nd trade because of sales tax credit. There’s a carrying cost, but it’s a lot lower than just paying ADM (and the taxes on the higher sale price).

                      ———

                      Ferrari frowns on it, but it happens in markets. However outside of the very famous, the path to get a new hot Ferrari is to buy a lot of used ones first. Or ones you don’t want. The “every car sold 4-6 times” in action.

                      Porsche frowns upon it, but it absolutely happens. Some markets Porsche looks the other way, because you have customers willing to take a bath on a car. I’m not in one of those markets.

                      Yet that’s for new cars. Used cars? Porsche turns a blind eye. They limited the production for a reason and know sometimes cars can be extremely hard to move.

                      Hell, after the GFC, some Cayman Rs and OG Spyders took FIVE YEARS to sell. Those were like $70-90K cars. But the ones with carbon seats and some specced with no AC by the dealer were floor plan poison, and they SAT. Only 891 US Spyders and a similar number of Cayman Rs and they still took 5 years for all to sell through! Manufacturers limit production for a reason!

  7. I’m also going to go ahead and add that your CEO is not going to ask you to buy gift cards for a client. I don’t know you personally or professionally but I’m pretty confident in stating that you are NOT that person. Please just mark that email as spam and delete it.

    1. My wife actually got caught on that one because she works directly for the CEO and she IS that person. Luckily, they figured it out before the purchased cards left her control and the agency had legitimate uses for them so it worked out okay, but now she is VERY careful about phishing.

      1. We have that too. I always feel like the smartest kid in the room when I click it.

        We also have a button that will send emails right to the trash bin. I always click it when someone sends me an email asking if I have “had a chance to read their earlier email.”

Leave a Reply