05 黑客面前,你的密碼有多脆弱?
上個(gè)月,雅虎證實(shí),該公司遭遇了也許是史上最大規(guī)模的網(wǎng)絡(luò)安全侵入,至少影響5億賬戶(hù)。據(jù)BBC報(bào)道,Dropbox今年8月承認(rèn)2012年該網(wǎng)站遭遇的黑客入侵事件影響到了超過(guò)6千8百萬(wàn)個(gè)賬戶(hù)。如今,數(shù)據(jù)泄露已是家常便飯,多起黑客事件提醒我們,在網(wǎng)絡(luò)安全方面,我們做的遠(yuǎn)遠(yuǎn)不夠。
“這只小狗的名字你可以隨便取,”漫畫(huà)Bizarro中的父親告訴兒子,“但要確保能記住。因?yàn)槟阋惠呑佣家阉鳛榘踩珕?wèn)題的答案?!?/p>
不幸的是,在成為遭到泄露的雅虎5億賬戶(hù)細(xì)節(jié)(包括有關(guān)你的第一只寵物的安全問(wèn)題答案)之一時(shí),這只狗的名字(例如Poppy)可能沒(méi)有加密。狗的名字也可能被用作了密碼,因?yàn)槿藗兂3O矚g把寵物的名字用作密碼,也許后面會(huì)加上兩個(gè)數(shù)字。
“Poppy95”并非一個(gè)安全的密碼,但它相當(dāng)普遍,而且說(shuō)明了一個(gè)令人不安的事實(shí):我們隨隨便便的密碼結(jié)構(gòu)是可以預(yù)測(cè)的。而且,隨著一些頗受歡迎的網(wǎng)站遭遇大規(guī)模數(shù)據(jù)泄露,黑客對(duì)我們的習(xí)慣了如指掌。
令人擔(dān)憂的密碼安全
People often pick animals (“monkey”), keyboard patterns (“zxcvbn”), dad jokes (“l(fā)etmein”), sports teams (“l(fā)iverpool”) and angst (“whatever”).All proved popular with users of the adultery site, Ashley Madison, hacked last year.In case you are thinking only adulterers use weak passwords, many of these also showed up in a leak from the Last.fm music service which surfaced more recently.
人們經(jīng)常選擇動(dòng)物(monkey)、鍵盤(pán)上字母的排列(zxcvbn)、蹩腳笑話(letmein)、運(yùn)動(dòng)隊(duì)(liverpool)和一些焦慮的情緒(whatever)作為密碼。事實(shí)證明,所有這些密碼在去年遭到黑客攻擊的成人網(wǎng)站Ashley Madison用戶(hù)中頗受歡迎。如果你認(rèn)為只有成人網(wǎng)站用戶(hù)才使用這么不安全的密碼的話,你就錯(cuò)了,其中很多還出現(xiàn)在最近才曝出的音樂(lè)服務(wù)網(wǎng)站Last.fm數(shù)據(jù)泄露事件中。
成人網(wǎng)站Ashley Madison去年曾遭黑客攻擊
Most people reuse passwords.This means the login details from one site can be tried out on more valuable sites — financial accounts, for example, or people's work.And, combined with details such as previous addresses obtained from a retailer and a date of birth from the Yahoo hack or Facebook, they may be used to obtain credit fraudulently.
多數(shù)人會(huì)重復(fù)使用密碼。這意味著,一個(gè)網(wǎng)站的登錄信息可能會(huì)在更有價(jià)值的網(wǎng)站上使用:例如金融賬戶(hù)或工作網(wǎng)絡(luò)。結(jié)合其他信息,比如從零售商處獲取的以前的住址以及從雅虎或Facebook獲取的生日日期,這些密碼可能會(huì)被用來(lái)騙貸。
If you are thinking: “I may use the same base password but I change it a bit for different websites”, well, I have a research paper for you.A group from the University of Illinois at Urbana-Champaign and elsewhere looked at the often simplistic changes people make.Using passwords for the same users from different leaks, they were able to guess almost a third of the transformed passwords within 100 or fewer attempts.Popular changes involved two to three appended characters.Keyboard sequence changes, capitalisation changes and “l(fā)eet speak” — changing s to $, say — were also common.
如果你在想:“我可能會(huì)用同樣的基礎(chǔ)密碼,但會(huì)在不同網(wǎng)站稍作改動(dòng)”,好吧,這里有一份研究論文給你看。來(lái)自伊利諾伊大學(xué)香檳分校和其他機(jī)構(gòu)的研究人員考察了人們常常會(huì)做出的過(guò)分簡(jiǎn)單的改動(dòng)。利用來(lái)自不同網(wǎng)站泄密的同一用戶(hù)的密碼,他們能夠在100次或更少次嘗試后猜出近三分之一更改后的密碼。常見(jiàn)的更改包括后面加2到3個(gè)字符。鍵盤(pán)順序變化、大小寫(xiě)變動(dòng)以及“黑客文”(例如,把S變成$)也很常見(jiàn)。
Unfortunately, password strength meters aren't much help as they underestimate hackers' understanding of users' habits.In an ideal world, website owners would strengthen their own security to protect users.But if their customers use weak passwords — or reuse strong ones on other, less secure sites — there's only so much they can do.
不幸的是,密碼強(qiáng)度檢測(cè)工具幫助不大,因?yàn)樗鼈兊凸懒撕诳蛯?duì)用戶(hù)習(xí)慣的了解。在理想世界中,網(wǎng)站所有者會(huì)增強(qiáng)網(wǎng)站安全以保護(hù)用戶(hù)。但如果它們的客戶(hù)使用不安全密碼,或在另一個(gè)不那么安全的網(wǎng)站重復(fù)使用高強(qiáng)度的密碼,它們能做的也就很有限了。
什么樣的密碼才安全
There is some encouragement to be had, though.University researchers from Pennsylvania tested whether people could correctly identify the more secure password among pairs.Participants did reasonably well — identifying the benefits of capitals, digits and symbols in the middle of a password, and avoiding names.
然而,還是有一些可喜的事情。賓夕法尼亞州的大學(xué)研究人員測(cè)試了人們能否準(zhǔn)確識(shí)別一對(duì)密碼中更安全的密碼。參與者的表現(xiàn)非常好,他們認(rèn)識(shí)到密碼中間加入大寫(xiě)字母、數(shù)字和符號(hào)會(huì)更安全,同時(shí)要避免使用名字。
However, they also overestimated the usefulness of appending digits, incorrectly selecting “astley123” as more secure than “astleyabc”.The former is easier to crack because of the pervasiveness of the pattern of appending digits
然而,他們也高估了后綴數(shù)字的用處,他們不正確地認(rèn)為“astley123”比“astleyabc”更安全。前者更容易破解,因?yàn)楹缶Y數(shù)字模式很普遍。
Participants also “underestimated the poor security properties of building a password around common keyboard patterns and common phrases”.They wrongly believed that “iloveyou88” is stronger than “ieatkale88” (which frankly seems like an excellent name for a dog).
參與者還“低估了根據(jù)常見(jiàn)的鍵盤(pán)字母排列和常見(jiàn)短語(yǔ)設(shè)置密碼的低安全性”。他們錯(cuò)誤地認(rèn)為“iloveyou88”比“ieatkale88”(坦率來(lái)說(shuō),這似乎是一個(gè)不錯(cuò)的狗狗名字)更安全。
The researchers concluded that such misunderstandings, and poor password choices generally, stem from an underestimation of the risk of potential attacks and a lack of knowledge about how dangerously common certain construction techniques are.Which is not surprising, they note, as we don't often see one another's passwords.Unfortunately, hackers do.
研究人員總結(jié)稱(chēng),這些誤解以及不安全的密碼選擇,一般來(lái)自于對(duì)潛在攻擊風(fēng)險(xiǎn)的低估和對(duì)某些密碼設(shè)置方法的普遍性和危險(xiǎn)性缺乏認(rèn)識(shí)。他們指出,這并不意外,因?yàn)槲覀儾粫?huì)經(jīng)??吹絼e人的密碼。不幸的是,黑客會(huì)經(jīng)??吹?。
詞匯總結(jié)
fraudulently ['fr?djul?ntli]
adv.欺騙地
They may be used to obtain credit fraudulently.
這些密碼可能會(huì)被用來(lái)騙貸。
pervasiveness [p?r've?s?vn?s]
n.無(wú)處不在;廣泛性;普遍性
appending [?'p?nd]
adj.附加的
v.附加;掛上(append的ing形式)
The former is easier to crack because of the pervasiveness of the pattern of appending digits
前者更容易破解,因?yàn)楹缶Y數(shù)字模式很普遍。
security property安全屬性
Participants also “underestimated the poor security properties of building a password around common keyboard patterns and common phrases”.
參與者還“低估了根據(jù)常見(jiàn)的鍵盤(pán)字母排列和常見(jiàn)短語(yǔ)設(shè)置密碼的低安全性”。
try out試驗(yàn);提煉;考驗(yàn)
This means the login details from one site can be tried out on more valuable sites
這意味著,一個(gè)網(wǎng)站的登錄信息可能會(huì)在更有價(jià)值的網(wǎng)站上使用:例如金融賬戶(hù)或工作網(wǎng)絡(luò)。
瘋狂英語(yǔ) 英語(yǔ)語(yǔ)法 新概念英語(yǔ) 走遍美國(guó) 四級(jí)聽(tīng)力 英語(yǔ)音標(biāo) 英語(yǔ)入門(mén) 發(fā)音 美語(yǔ) 四級(jí) 新東方 七年級(jí) 賴(lài)世雄 zero是什么意思南昌市佑營(yíng)街小區(qū)英語(yǔ)學(xué)習(xí)交流群