Ford Proud that "Mustang" Is a Common Password

This is what happens when a PR person gets hold of information he really doesn't understand.

"Mustang" is the 16th most common password on the Internet according to a recent study by SplashData, besting both "superman" in 21st place and "batman" in 24th

Mustang is the only car to appear in the top 25 most common Internet passwords

That's not bad. If you're a PR person, that's good.

Here are a few suggestions for strengthening your "mustang" password:

  • Add numbers to your password (favorite Mustang model year, year you bought your Mustang or year you sold the car)

  • Incorporate Mustang option codes, paint codes, engine codes or digits from your VIN

  • Create acronyms for modifications made to your Mustang (FRSC, for Ford Racing SuperCharger, for example)

  • Include your favorite driving road or road trip destination

Keep in mind that using the same password on all websites is not recommended; a password manager can help keep multiple Mustang-related passwords organized and easy-to-access.

At least they didn't sue users for copyright infringement.

Posted on February 16, 2015 at 6:45 AM • 39 Comments

Comments

Garth VaderFebruary 16, 2015 8:36 AM

I just use "Ford Pinto" as reverse social engineering. No one believes me worth messing with and some hackers even pity me. I can't tell you how many times I've received $0.25 in my paypal account from some villain in Nigeria or Russia.

Peter A.February 16, 2015 8:54 AM

Hey, it's actually a very good PR article - intelligent, somewhat geeky, witty, amusing and in the same time promoting - even if humorously - a good security practice. It also shows that there are real, intelligent people - not mindless corporate drones or stiff attorneys - in the company's PR office.

Dr. I. Needtob AtheFebruary 16, 2015 9:27 AM

I prefer a password like ;s%r>l$Z5Dv}W((7|Xu>. (generated just now with Password Safe)

Now that really pops!

MarenFebruary 16, 2015 9:42 AM

Hmm. How sure are these Ford-centric PR people that some of the users in question aren't thinking about actual horses? In which case one could include the year one acquired one's mustang, the name of its sire or dam (though since mustangs are by definition wild, that information may or may not be available depending upon the level of herd-observation), the color of one's favorite mustang, or the number of hooves on a typical mustang.

blaughwFebruary 16, 2015 10:34 AM

@Maren:

Because Ford owns the trademark "Mustang". Any quadruped mammals found to be infringing would be sued into oblivion.

CferMNFebruary 16, 2015 10:38 AM

My only problem with password managers is what happens if that gets hacked? Then all your secure passwords are completely compromised.

65535February 16, 2015 10:50 AM

Here are a couple of comments from Bruce S. from circa 2007:

Rom • February 10, 2007 7:45 AM

This comment by New Boy at January 11, 2007 12:13 PM never got a reply:

"Which passphrase below will likely be broken first in real life situation by government agencies?

1. E5&crW9C@8#x (12 random characters)

2. aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd (4x10 = 40 characters)"

Can anyone give a comment on that now? How secure is such a "long password strategy"? Similarly, I've seen some people advocate using a long sentence as password. A related strategy would be to repeat a simple word multiple times and then add some other stuff. For example:

"soccersoccersoccersoccersoccer$$soccer". That's an easily memorized password: 5 soccer, 2 dollars, 1 soccer. But how secure is it?

Bruce Schneier • February 10, 2007 8:53 AM

@ Rom and @ New Boy

Neither password will ever be broken by the current -- and forseeable future -- generations of password guessers.

https://www.schneier.com/blog/archives/2007/01/choosing_secure.html#c145424

https://www.schneier.com/blog/archives/2007/01/choosing_secure.html#c145432

https://www.schneier.com/blog/archives/2007/01/choosing_secure.html#c137574

[and]

Bruce Schneier • January 11, 2007 9:18 AM

"However, most of the focus of your article seems to be on password complexity, opposed to password length."

Well, it's both. Some of the dictionaries have words of different lengths.

Of course longer is better. If you have a 32-character password, no software cracker is going to find it.

https://www.schneier.com/blog/archives/2007/01/choosing_secure.html#c137512

It not 2007 [which dates how long I have been reading this blog].

Is the 40 password length question by New Boy still true?

One last question, when you chain your accounts together, say use your Google email password for your Facebook, YouTube, and other accounts – is it the same as using the “same password” for said accounts? [The “same” being the same risk]


3kkFebruary 16, 2015 12:14 PM

@CferMN:
For most people it's the choice between having many points of failures on systems you don't have personal control over (in case you use the same password multiple times) or a single point of failure on a system that you control yourself (in case you use a password manager). Of course it would be best if you could just remember a multitude of good passwords without storing them anywhere, but that's not happening. Of course there are some alternatives, too, like having something like passwordcard.org--and if you like these more, then by all means use them.

無名のFebruary 16, 2015 1:18 PM

@schneier At least they didn't sue users for copyright infringement.
You meant "trademark infringement", didn't you?

Wandering bobFebruary 16, 2015 1:26 PM

“We’re flattered people want to use ‘mustang’ as their password, but alone, it just isn’t strong enough to be secure,” said Keith Moss, Ford Director of Cyber Security. “We encourage people to use ‘mustang,’ but we recommend they strengthen their password by mixing upper and lower case letters, numbers, acronyms and symbols to make it unique.”


  • Sure sprinkle a little entropy in there, but waste a bunch of it by "encouraging" mustang

  • Did that advice really come from their Director of Cyber Security?

  • Do they give advice like that to employees?

  • I also liked: "While you should always keep your Mustang-inspired password a secret, wear your appreciation for the iconic pony car proudly and loudly." No one is ever going to try using lists of things you like in a password attack...

    albertFebruary 16, 2015 1:30 PM

    @wiredog
    VIN=LOL

    @65535
    Radix is important, too. I've been on sites that require at least one number and at least one uppercase letter, effectively saying: Radix 62 (A-Z,a-z,0-9). Force folks to use it. You know they're gonna make 'em as short as you allow. Length low limits need to be increased. Weak passwords should be rejected, not simply commented upon as weak. If your site has an 8 character minimum length, guess what length the cracker will try first? It seems obvious, but folks don't seem to get it.

    [rant]
    .
    Recently, in a comment from Close_My_Account_Please, the bank manager shouted out the '1234' password to someone. Now, there's a situation that warranted an email or call to corporate.
    .
    It's time to start password enforcement, on _both_ sides of the fence, and it has to come from IT 'management', not from reliance on minimum-wage bank/store/agency personnel.
    .
    [/rant]

    Anonymous CowFebruary 16, 2015 3:04 PM

    ...If you have a 32-character password, no software cracker is going to find it...

    I just encountered a banking site that could not handle any password more than 20 characters. I never thought about the number of characters but I'll be paying attention from now on. And what about those whose instructions supposedly require a 'special character' but balks until you put in only letters and numbers?

    albertFebruary 16, 2015 3:05 PM

    @Bruce,

    "... At least they didn't sue users for copyright infringement....?

    I know it's a joke, but 'Mustang' couldn't be copyrighted. I'm certain that it is _trademarked_ as an auto model name by FoMoCo. Trademark infringement cases are 'no-win' for the infringer...besides, if you tried to trademark the name 'Mustang' for a saddle, you'd probably be OK (assuming no other saddle maker already got it), but try it for toy car, and you'll get a call from a Ford lawyer. Worse yet, try marketing the car. You'll get a 'cease and desist' letter, and threat of legal action.
    .
    Technically, when citing the name in print, you should put that little tm* thingy in there :)
    .
    Luv ya, Bruce!
    ...

    * Mustang(tm) is a registered trademark of the Ford Motor Company

    albertFebruary 16, 2015 3:12 PM

    @無名の

    Sorry, 無名の, missed your post...
    .
    You're not THE 匿名の, are you?

    ...

    AnuraFebruary 16, 2015 3:14 PM

    @Jim

    Not necessary on my car; it's visible from the outside, printed and displayed on right at the bottom of the windshield.

    BlueLightMemoryFebruary 16, 2015 5:40 PM

    If there are enough character spaces allowed, I find the best passwords are made up of a moment, thought, or observation in life which you know that no one else knows or can possibly guess. Adding some of these to the password also helps..! & *$ #, / -.

    Wesley ParishFebruary 17, 2015 3:34 AM

    Why not use a trademarked Ford car name that isn't Mustang. Like Edsel, for example? Or Zephyr?

    That is reverse psychology. "I'm so proud of my Ford Mustang my password is Edsel123@#$%^!!!!"

    DaveFebruary 17, 2015 9:56 AM

    I always liked the idea of taking the first letter of a passphrase, rather than a password.

    So, for example:
    "My Ford Mustang gets 11 kilometers per liter" becomes the password "MFMg11kpl". You remember the sentence, but the password is unlikely to be something to be guessed with a dictionary attack.

    NobodySpecialFebruary 17, 2015 11:04 AM

    @Dave and double bonus points for avoiding the more correct but more obvious "My Ford Mustang gets 5 kilometers per liter"

    Fred PFebruary 17, 2015 12:38 PM

    "At least they didn't sue users for copyright infringement." - "Mustang" is a breed of horse (regardless of its other uses); it isn't copyrightable. It is trademarked, but attempting to claim a violation of a trademark via a presumably secret password would clearly not hold up in court.

    In any case, the live trademarks I can find owned by Ford with the name "Mustang" aren't for the car make; they are for clothing with marketing material for the car make. The ones for knives, cigarette lighters and a magazine appear to be dead. My results are below:

    Word Mark FORD MUSTANG
    Goods and Services IC 025. US 022 039. G & S: clothing, namely, shirts, sweatshirts, T-shirts, polo shirts, golf shirts, [dress shirts, sweaters, vests,] jackets, [rainwear, work coats, scarves, sleep wear, neckties;] headwear, namely, caps, hats, [sunvisors, headbands, babushkas; footwear, namely, athletic shoes, slippers, and moccasins;] all for promotional use relating to automotive vehicles. FIRST USE: 19781101. FIRST USE IN COMMERCE: 19781101
    Mark Drawing Code (1) TYPED DRAWING
    Serial Number 74602729
    Filing Date November 23, 1994

    Word Mark FORD MUSTANG
    Goods and Services IC 025. US 022 039. G & S: clothing, namely shirts, sweatshirts, T-shirts, polo shirts, golf shirts, dress shirts, sweaters, vests, jackets, rainwear, work coats, scarves, sleep wear, neckties; headwear, namely caps, hats, sunvisors, headbands, babushkas; footwear, namely athletic shoes, slippers, and moccasins; all for promotional use relating to automotive vehicles. FIRST USE: 19781101. FIRST USE IN COMMERCE: 19781101
    Mark Drawing Code (3) DESIGN PLUS WORDS, LETTERS, AND/OR NUMBERS
    Design Search Code 03.05.01 - Horses
    03.05.24 - Stylized horses, donkeys, zebras
    26.11.12 - Rectangles with bars, bands and lines
    Serial Number 74602712
    Filing Date November 23, 1994

    albertFebruary 17, 2015 2:01 PM

    @Fred P
    Good work! Did Ford let it lapse? That would be a surprise, as Mustangs are still manufactured. OTOH, their logo (design/words) tm is still active.
    .
    Anyway, the words "Ford Mustang" probably wouldn't be used by another car company. Maybe "Ferrari Mustang":)

    Interesting, nonetheless...
    .
    I should amend my comment to read "Ford Mustang" anyway.
    ...

    renkeFebruary 18, 2015 4:09 AM

    @Fred P

    interesting - at least in Germany Ford owns the trademark for Mustang for Nice class 12 (Vehicles; apparatus for locomotion by land, air or water.) since 1979 [DPMA no 994134]

    65535February 18, 2015 8:13 AM

    "@65535
    "Radix is important, too. I've been on sites that require at least one number and at least one uppercase letter, effectively saying: Radix 62 (A-Z,a-z,0-9). Force folks to use it. You know they're gonna make 'em as short as you allow. Length low limits need to be increased. Weak passwords should be rejected, not simply commented upon as weak. If your site has an 8 character minimum length, guess what length the cracker will try first? It seems obvious, but folks don't seem to get it."-albert

    I understand that some sites truncate long passwords. That is a real problem. Thanks for the heads-up.

    I know that some SOHO routers also truncate passwords to 8 characters. I suspect that was an NSA requirement - but who knows.

    StuartFebruary 19, 2015 3:23 AM

    @Dr. I. Needtob Athe: that reminds me of one occasion in my professional career. I was working on a bank's systems; they had a lot of Unix systems, and those systems had their own password file (no Kerberos, NIS, LDAP, or similar; it was all /etc/passwd and /etc/shadow, or equivalent.) So I had to keep tabs on several hundred passwords.

    I used Password Safe for that purpose.

    One day, I had to login to a particular host, which told me my password had expired; please change it. So I made a note of my old password (as my usual practice), generated a new one, and pasted it into the "new password" prompt.

    I was disconnected.

    Say what?

    Login again with the old password. Pasted the new password into the "new password" prompt. Boom - disconnected. It took me a few goes before I thought to look at the new password that had been generated. The first two characters? "~." Yes, kiddies, that's right: Password Safe had randomly generated a password that was guaranteed to tell ssh (in its default configuration) to disconnect the session.

    I had to laugh.. right after I generated another password.

    65535February 19, 2015 11:12 PM

    @ Sturt , Albert

    “…they [the bank] had a lot of Unix systems, and those systems had their own password file (no Kerberos, NIS, LDAP, or similar; it was all /etc/passwd and /etc/shadow, or equivalent.)… I made a note of my old password (as my usual practice), generated a new one, and pasted it into the "new password" prompt. I was disconnected. Say what? …The first two characters? "~." Yes, kiddies, that's right: Password Safe had randomly generated a password that was guaranteed to tell ssh (in its default configuration) to disconnect the session.” – Stuart

    In the same vein, I have see large institutions limit the use or out-right ban the use special characters [restrict Radix]. Some to the point that no special characters or upper case characters are allowed and length is limited to 20 characters – the supposed technical reason is to a void SQL injection from the log on screen.

    I am not a skilled expert of SQL injection in N-stack web facing servers but that sounds like a lame excuse [say LAMP with a top end application of say Wordpress or similar top application].

    Aside, with the recent news of hardware rootkits used by our friends at Fort Meade it has absorbed all my time trying to find protection against such “Equation malware kit” which leaves me extremely distressed.

    It does appear that hardware based rootkits or persistent threats are no longer academic experiments but active exploits of “Agencies” and probably clever hacking groups – credit card skimming and the like. The remediation of such exploits seems to be complex and expensive [junking of a large amount of hardware].

    Everything from motherboards to hard drive controllers; to thumb drives; to mobile phones in the work place have to be vetted - which is not thoroughly described in the public data.

    Gad, what a waste of time and financial resources for the average shop – thanks a lot you over-paid idiots at Fort Meade!

    https://www.schneier.com/blog/archives/2015/02/the_equation_gr.html

    Leave a comment

    Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

    Photo of Bruce Schneier by Per Ervland.

    Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.