黑客面前，你的密碼有多脆弱？

05 黑客面前，你的密碼有多脆弱？

上個月，雅虎證實，該公司遭遇了也許是史上最大規(guī)模的網絡安全侵入，至少影響5億賬戶。據BBC報道，Dropbox今年8月承認2012年該網站遭遇的黑客入侵事件影響到了超過6千8百萬個賬戶。如今，數(shù)據泄露已是家常便飯，多起黑客事件提醒我們，在網絡安全方面，我們做的遠遠不夠。

“這只小狗的名字你可以隨便取，”漫畫Bizarro中的父親告訴兒子，“但要確保能記住。因為你一輩子都要把它作為安全問題的答案。”

不幸的是，在成為遭到泄露的雅虎5億賬戶細節(jié)（包括有關你的第一只寵物的安全問題答案）之一時，這只狗的名字（例如Poppy）可能沒有加密。狗的名字也可能被用作了密碼，因為人們常常喜歡把寵物的名字用作密碼，也許后面會加上兩個數(shù)字。

“Poppy95”并非一個安全的密碼，但它相當普遍，而且說明了一個令人不安的事實：我們隨隨便便的密碼結構是可以預測的。而且，隨著一些頗受歡迎的網站遭遇大規(guī)模數(shù)據泄露，黑客對我們的習慣了如指掌。

令人擔憂的密碼安全

People often pick animals (“monkey”), keyboard patterns (“zxcvbn”), dad jokes (“l(fā)etmein”), sports teams (“l(fā)iverpool”) and angst (“whatever”).All proved popular with users of the adultery site, Ashley Madison, hacked last year.In case you are thinking only adulterers use weak passwords, many of these also showed up in a leak from the Last.fm music service which surfaced more recently.

人們經常選擇動物（monkey）、鍵盤上字母的排列（zxcvbn）、蹩腳笑話（letmein）、運動隊（liverpool）和一些焦慮的情緒（whatever）作為密碼。事實證明，所有這些密碼在去年遭到黑客攻擊的成人網站Ashley Madison用戶中頗受歡迎。如果你認為只有成人網站用戶才使用這么不安全的密碼的話，你就錯了，其中很多還出現(xiàn)在最近才曝出的音樂服務網站Last.fm數(shù)據泄露事件中。

成人網站Ashley Madison去年曾遭黑客攻擊

Most people reuse passwords.This means the login details from one site can be tried out on more valuable sites — financial accounts, for example, or people's work.And, combined with details such as previous addresses obtained from a retailer and a date of birth from the Yahoo hack or Facebook, they may be used to obtain credit fraudulently.

多數(shù)人會重復使用密碼。這意味著，一個網站的登錄信息可能會在更有價值的網站上使用：例如金融賬戶或工作網絡。結合其他信息，比如從零售商處獲取的以前的住址以及從雅虎或Facebook獲取的生日日期，這些密碼可能會被用來騙貸。

If you are thinking: “I may use the same base password but I change it a bit for different websites”, well, I have a research paper for you.A group from the University of Illinois at Urbana-Champaign and elsewhere looked at the often simplistic changes people make.Using passwords for the same users from different leaks, they were able to guess almost a third of the transformed passwords within 100 or fewer attempts.Popular changes involved two to three appended characters.Keyboard sequence changes, capitalisation changes and “l(fā)eet speak” — changing s to $, say — were also common.

如果你在想：“我可能會用同樣的基礎密碼，但會在不同網站稍作改動”，好吧，這里有一份研究論文給你看。來自伊利諾伊大學香檳分校和其他機構的研究人員考察了人們常常會做出的過分簡單的改動。利用來自不同網站泄密的同一用戶的密碼，他們能夠在100次或更少次嘗試后猜出近三分之一更改后的密碼。常見的更改包括后面加2到3個字符。鍵盤順序變化、大小寫變動以及“黑客文”（例如，把S變成$）也很常見。

Unfortunately, password strength meters aren't much help as they underestimate hackers' understanding of users' habits.In an ideal world, website owners would strengthen their own security to protect users.But if their customers use weak passwords — or reuse strong ones on other, less secure sites — there's only so much they can do.

不幸的是，密碼強度檢測工具幫助不大，因為它們低估了黑客對用戶習慣的了解。在理想世界中，網站所有者會增強網站安全以保護用戶。但如果它們的客戶使用不安全密碼，或在另一個不那么安全的網站重復使用高強度的密碼，它們能做的也就很有限了。

什么樣的密碼才安全

There is some encouragement to be had, though.University researchers from Pennsylvania tested whether people could correctly identify the more secure password among pairs.Participants did reasonably well — identifying the benefits of capitals, digits and symbols in the middle of a password, and avoiding names.

然而，還是有一些可喜的事情。賓夕法尼亞州的大學研究人員測試了人們能否準確識別一對密碼中更安全的密碼。參與者的表現(xiàn)非常好，他們認識到密碼中間加入大寫字母、數(shù)字和符號會更安全，同時要避免使用名字。

However, they also overestimated the usefulness of appending digits, incorrectly selecting “astley123” as more secure than “astleyabc”.The former is easier to crack because of the pervasiveness of the pattern of appending digits

然而，他們也高估了后綴數(shù)字的用處，他們不正確地認為“astley123”比“astleyabc”更安全。前者更容易破解，因為后綴數(shù)字模式很普遍。

Participants also “underestimated the poor security properties of building a password around common keyboard patterns and common phrases”.They wrongly believed that “iloveyou88” is stronger than “ieatkale88” (which frankly seems like an excellent name for a dog).

參與者還“低估了根據常見的鍵盤字母排列和常見短語設置密碼的低安全性”。他們錯誤地認為“iloveyou88”比“ieatkale88”（坦率來說，這似乎是一個不錯的狗狗名字）更安全。

The researchers concluded that such misunderstandings, and poor password choices generally, stem from an underestimation of the risk of potential attacks and a lack of knowledge about how dangerously common certain construction techniques are.Which is not surprising, they note, as we don't often see one another's passwords.Unfortunately, hackers do.

研究人員總結稱，這些誤解以及不安全的密碼選擇，一般來自于對潛在攻擊風險的低估和對某些密碼設置方法的普遍性和危險性缺乏認識。他們指出，這并不意外，因為我們不會經?？吹絼e人的密碼。不幸的是，黑客會經?？吹?。

詞匯總結

fraudulently ['fr?djul?ntli]

adv.欺騙地

They may be used to obtain credit fraudulently.

這些密碼可能會被用來騙貸。

pervasiveness [p?r've?s?vn?s]

n.無處不在；廣泛性；普遍性

appending [?'p?nd]

adj.附加的

v.附加；掛上（append的ing形式）

The former is easier to crack because of the pervasiveness of the pattern of appending digits

前者更容易破解，因為后綴數(shù)字模式很普遍。

security property安全屬性

Participants also “underestimated the poor security properties of building a password around common keyboard patterns and common phrases”.

參與者還“低估了根據常見的鍵盤字母排列和常見短語設置密碼的低安全性”。

try out試驗；提煉；考驗

This means the login details from one site can be tried out on more valuable sites

這意味著，一個網站的登錄信息可能會在更有價值的網站上使用：例如金融賬戶或工作網絡。