Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

Choosing (one of) your phone numbers as a password really is all about choosing a bad password.

The back-end could be using bcrypt with a ridiculous work factor, and server security could be state of the art, but choosing your phone number as a password will always be a poor decision.



>but choosing your phone number as a password will always be a poor decision

Always? OK, I've reset my HN password to [one of] my phone number. So you can log in as me now?

No of course you can't. You don't even know how many digits it is, did I include + for an international number, did I use brackets, hyphens, dots (comme une gars Francais)? How will you connect my online ID with my phone number¹?

Once you have my password what are you going to do? Right flames and lose me karma? I can just start a new account if needs be, nothing lost really.

For many accounts a phone number is probably a good enough password IMO. For accounts that handle money? No way. For email accounts that receive reset passwords? Not a chance. For posting drivel on tech chat forums ... it'll be fine!

--

¹ If you can I'd prefer you didn't print it.


FWIW, a couple of minutes googling found 3 seemingly-valid phone numbers for you.


Ha, I have 4 (actually 5 but I don't remember the twilio one) ... do you want to give me the end digits for confirmation purposes, last 4 digits should be enough.


deleted


Lolz, totally forgot about whois!!

Interestingly I searched for the numbers as I'd use them along with a substring of my username and didn't find them. Did you really Google or were you using the term generically? I tried both Google and Bing.

Well done now you can destroy my HN karma (no not really).


First google hit for "pbhj" is an seomoz profile for a web person person in the UK, which superficially matches the fact that pbhjpbhj has an account on hacker news and their previous comment here had talked about living in the UK.

The seomoz profile lists a couple of websites. One of those sites has a phone number on the /contact page, and the /about page on the other links to another business (not totally sure how I originally found that, but this is currently the quickest way to get there.)

That business has a couple more phone numbers listed on their homepage, which also matches the phone numbers on the shopfront on google street view.

This can also be cross-checked with whois.

A bit more googling (literally) of your names found an alternative (possibly old?) address in the same town, and googling that pulled up a fourth number.


Nice work courteous and complete. Funny because I usually do this the other way around. I'm not getting the SEOmoz profile high in the SERPs.

I never used to give away my location but got tired of anonymity for it's own sake. Think I'll be reviewing my online exposure now. It's been something I've worried over a little recently but it's hard to keep work/home separate (which I prefer) in many ways. Thanks for getting back to me.


The point is very very very rarely you actually hear of hacking stories where someone has actually "guessed" a password. Most of the time it's either social hacking or a db dump. Password choice is important to avoid password reuse but I am pretty confident that password guessing is a hugely overestimated risk.


The News of the World scandal going on now is, to some extent, about guessing the password. However, they were guessing passwords like 0000, which probably isn't quite what you had in mind.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: