“The puppy’s name can be whatever you want”, the father in the Bizarro comic tells his son, “but make sure it is something memorable. You’ll be using it as a security question answer for the rest of your life.”
“這只小狗的名字你可以隨便取,”漫畫(huà)Bizarro中的父親告訴兒子,“但要確保能記住。因?yàn)槟阋惠呑佣家阉鳛榘踩珕?wèn)題的答案。”
Unfortunately the name given to the dog — say, Poppy — may or may not have been encrypted when it was leaked among details of 500m Yahoo accounts, which included the answers to security questions about first pets. The dog’s name was probably also used as a password at some point as people often use pets’ names — maybe with a couple of numbers at the end.
不幸的是,在成為遭到泄露的雅虎(Yahoo) 5億賬戶(hù)細(xì)節(jié)(其中包括有關(guān)你的第一只寵物的安全問(wèn)題的答案)之一時(shí),這只狗的名字(例如Poppy)可能已經(jīng)加密,也可能沒(méi)有加密。這只狗的名字也可能被用作了密碼,因?yàn)槿藗兂3O矚g把寵物的名字用作密碼,可能后面會(huì)加上兩個(gè)數(shù)字。
“Poppy95” is not a secure password but it is fairly typical and it illustrates an uncomfortable fact: our crummy password construction is predictable. And with large breaches of popular websites, hackers are getting to know us better than ever.
“Poppy95”并非一個(gè)安全的密碼,但它相當(dāng)普遍,而且說(shuō)明了一個(gè)令人不安的事實(shí):我們隨隨便便的密碼結(jié)構(gòu)是可以預(yù)測(cè)的。而且,隨著一些頗受歡迎的網(wǎng)站遭遇大規(guī)模數(shù)據(jù)泄露,黑客對(duì)我們的習(xí)慣了解得很。
People often pick animals (“monkey”), keyboard patterns (“zxcvbn”), dad jokes (“letmein”), sports teams (“liverpool”) and angst (“whatever”). All proved popular with users of the adultery site, Ashley Madison, hacked last year. In case you are thinking only adulterers use weak passwords, many of these also showed up in a leak from the Last.fm music service which surfaced more recently.
人們經(jīng)常選擇動(dòng)物(monkey)、鍵盤(pán)模式(zxcvbn)、蹩腳笑話(huà)(letmein)、運(yùn)動(dòng)隊(duì)(liverpool)和焦慮(whatever)作為密碼。事實(shí)證明,所有這些密碼在去年遭到黑客攻擊的成人網(wǎng)站Ashley Madison用戶(hù)中頗受歡迎。如果你認(rèn)為只有成人網(wǎng)站用戶(hù)才使用這么不安全的密碼的話(huà),你就錯(cuò)了,其中很多還出現(xiàn)在最近才曝出的音樂(lè)服務(wù)網(wǎng)站Last.fm數(shù)據(jù)泄露事件中。
Both breaches — estimated at about 30m-40m each — are dwarfed by the 164m LinkedIn and 360m MySpace accounts that appeared in May.
今年5月曝出的LinkedIn(1.64億個(gè)賬戶(hù))和MySpace(3.60億個(gè)賬戶(hù))泄密事件令上述兩起泄密事件(據(jù)估計(jì)泄密賬戶(hù)分別達(dá)3000萬(wàn)至4000萬(wàn)左右)相形見(jiàn)絀。
Passwords are valuable to hackers in a couple of indirect ways. First, most people — about 60 per cent by some estimates — reuse passwords. This means the login details from one site can be tried out on more valuable sites — financial accounts, for example, or people’s work. And, combined with details such as previous addresses obtained from a retailer and a date of birth from the Yahoo hack or Facebook, they may be used to obtain credit fraudulently.
密碼對(duì)黑客很有價(jià)值,這表現(xiàn)在兩種間接的方式上。首先,多數(shù)人(根據(jù)一些估計(jì)約為60%)會(huì)重復(fù)使用密碼。這意味著,一個(gè)網(wǎng)站的登錄細(xì)節(jié)可能會(huì)在更有價(jià)值的網(wǎng)站上使用:例如金融賬戶(hù)或人們的工作。結(jié)合從零售商獲取的以前的地址以及從雅虎或Facebook獲取的生日日期,這些密碼可能會(huì)被用來(lái)騙貸。
Second, the data sets can be added to “dictionaries” comprising actual dictionaries, tens of thousands of books and all of Wikipedia, which can be used to crack passwords.
其次,這些數(shù)據(jù)集合可以加入包括正規(guī)詞典、數(shù)萬(wàn)冊(cè)書(shū)和維基百科(Wikipedia)全部?jī)?nèi)容的“字典”,可以用來(lái)破解密碼。
If you are thinking: “I may use the same base password but I change it a bit for different websites”, well, I have a research paper for you. A group from the University of Illinois at Urbana-Champaign and elsewhere looked at the often simplistic changes people make. Using passwords for the same users from different leaks, they were able to guess almost a third of the transformed passwords within 100 or fewer attempts. Popular changes involved two to three appended characters. Keyboard sequence changes, capitalisation changes and “leet speak” — changing s to $, say — were also common.
如果你在想:“我可能會(huì)使用同樣的基礎(chǔ)密碼,但會(huì)在不同網(wǎng)站稍作改動(dòng)”,好吧,這里有一份研究論文給你看。來(lái)自伊利諾伊大學(xué)香檳分校(University of Illinois at Urbana-Champaign)和其他機(jī)構(gòu)的研究人員考察了人們常常會(huì)做出的過(guò)分簡(jiǎn)單的改動(dòng)。利用來(lái)自不同網(wǎng)站泄密的同一用戶(hù)的密碼,他們能夠在100次或更少次嘗試后猜出近三分之一更改后的密碼。常見(jiàn)的更改包括后面加2到3個(gè)字符。鍵盤(pán)順序變化、大小寫(xiě)變動(dòng)以及“黑客文”(例如,把S變成$)也很常見(jiàn)。
Unfortunately, password strength meters aren’t much help as they underestimate hackers’ understanding of users’ habits.
不幸的是,密碼強(qiáng)度檢測(cè)工具幫助不大,因?yàn)樗鼈兊凸懒撕诳蛯?duì)用戶(hù)習(xí)慣的了解。
In an ideal world, website owners would strengthen their own security to protect users. But if their customers use weak passwords — or reuse strong ones on other, less secure sites — there’s only so much they can do.
在理想世界中,網(wǎng)站所有者會(huì)增強(qiáng)網(wǎng)站安全以保護(hù)用戶(hù)。但如果它們的客戶(hù)使用不安全密碼,或在另一個(gè)不那么安全的網(wǎng)站重復(fù)使用高強(qiáng)度的密碼,它們能做的也就很有限了。
There is some encouragement to be had, though. University researchers from Pennsylvania tested whether people could correctly identify the more secure password among pairs, where “security” is “guessability” using cracking tools. Participants did reasonably well — identifying the benefits of capitals, digits and symbols in the middle of a password, and avoiding names.
然而,還是有一些可喜的事情。賓夕法尼亞州的大學(xué)研究人員測(cè)試了人們能否準(zhǔn)確識(shí)別一對(duì)密碼中更安全的密碼,在這里,安全是指利用破解密碼工具的“可猜測(cè)性”。參與者的表現(xiàn)非常好,他們認(rèn)識(shí)到密碼中間加入大寫(xiě)字母、數(shù)字和符號(hào)會(huì)更安全,同時(shí)要避免使用名字。
However, they also overestimated the usefulness of appending digits, incorrectly selecting “astley123” as more secure than “astleyabc”. The former is easier to crack because of the pervasiveness of the pattern of appending digits — hence the problem with the variant of Poppy’s name.
然而,他們也高估了后綴數(shù)字的用處,他們不正確地認(rèn)為“astley123”比“astleyabc”更安全。前者更容易破解,因?yàn)楹缶Y數(shù)字模式很普遍,這就是“Poppy”名字后面加上數(shù)字的問(wèn)題。
Participants also “underestimated the poor security properties of building a password around common keyboard patterns and common phrases”. They wrongly believed that “iloveyou88” is stronger than “ieatkale88” (which frankly seems like an excellent name for a dog).
參與者還“低估了根據(jù)常見(jiàn)的鍵盤(pán)模式和常見(jiàn)短語(yǔ)設(shè)置密碼的糟糕安全性”。他們錯(cuò)誤地認(rèn)為“iloveyou88”比“ieatkale88”(坦率的來(lái)說(shuō),這似乎是一個(gè)不錯(cuò)的狗狗名字)更安全。
The researchers concluded that such misunderstandings, and poor password choices generally, stem from an underestimation of the risk of potential attacks and a lack of knowledge about how dangerously common certain construction techniques are. Which is not surprising, they note, as we don’t often see one another’s passwords. Unfortunately, hackers do.
研究人員總結(jié)稱(chēng),這些誤解以及不安全的密碼選擇,一般來(lái)自于對(duì)潛在攻擊風(fēng)險(xiǎn)的低估和對(duì)某些密碼設(shè)置方法的普遍性和危險(xiǎn)性缺乏認(rèn)識(shí)。他們指出,這并不意外,因?yàn)槲覀儾粫?huì)經(jīng)??吹絼e人的密碼。不幸的是,黑客會(huì)經(jīng)??吹?。