“The puppy’s name can be whatever you want”, the father in the Bizarro comic tells his son, “but make sure it is something memorable. You’ll be using it as a security question answer for the rest of your life.”
“這只小狗的名字你可以隨便取,”漫畫Bizarro中的父親告訴兒子,“但要確保能記住。因為你一輩子都要把它作為安全問題的答案。”
Unfortunately the name given to the dog — say, Poppy — may or may not have been encrypted when it was leaked among details of 500m Yahoo accounts, which included the answers to security questions about first pets. The dog’s name was probably also used as a password at some point as people often use pets’ names — maybe with a couple of numbers at the end.
不幸的是,在成為遭到泄露的雅虎(Yahoo) 5億賬戶細節(jié)(其中包括有關(guān)你的第一只寵物的安全問題的答案)之一時,這只狗的名字(例如Poppy)可能已經(jīng)加密,也可能沒有加密。這只狗的名字也可能被用作了密碼,因為人們常常喜歡把寵物的名字用作密碼,可能后面會加上兩個數(shù)字。
“Poppy95” is not a secure password but it is fairly typical and it illustrates an uncomfortable fact: our crummy password construction is predictable. And with large breaches of popular websites, hackers are getting to know us better than ever.
“Poppy95”并非一個安全的密碼,但它相當普遍,而且說明了一個令人不安的事實:我們隨隨便便的密碼結(jié)構(gòu)是可以預(yù)測的。而且,隨著一些頗受歡迎的網(wǎng)站遭遇大規(guī)模數(shù)據(jù)泄露,黑客對我們的習(xí)慣了解得很。
People often pick animals (“monkey”), keyboard patterns (“zxcvbn”), dad jokes (“letmein”), sports teams (“liverpool”) and angst (“whatever”). All proved popular with users of the adultery site, Ashley Madison, hacked last year. In case you are thinking only adulterers use weak passwords, many of these also showed up in a leak from the Last.fm music service which surfaced more recently.
人們經(jīng)常選擇動物(monkey)、鍵盤模式(zxcvbn)、蹩腳笑話(letmein)、運動隊(liverpool)和焦慮(whatever)作為密碼。事實證明,所有這些密碼在去年遭到黑客攻擊的成人網(wǎng)站Ashley Madison用戶中頗受歡迎。如果你認為只有成人網(wǎng)站用戶才使用這么不安全的密碼的話,你就錯了,其中很多還出現(xiàn)在最近才曝出的音樂服務(wù)網(wǎng)站Last.fm數(shù)據(jù)泄露事件中。
Both breaches — estimated at about 30m-40m each — are dwarfed by the 164m LinkedIn and 360m MySpace accounts that appeared in May.
今年5月曝出的LinkedIn(1.64億個賬戶)和MySpace(3.60億個賬戶)泄密事件令上述兩起泄密事件(據(jù)估計泄密賬戶分別達3000萬至4000萬左右)相形見絀。
Passwords are valuable to hackers in a couple of indirect ways. First, most people — about 60 per cent by some estimates — reuse passwords. This means the login details from one site can be tried out on more valuable sites — financial accounts, for example, or people’s work. And, combined with details such as previous addresses obtained from a retailer and a date of birth from the Yahoo hack or Facebook, they may be used to obtain credit fraudulently.
密碼對黑客很有價值,這表現(xiàn)在兩種間接的方式上。首先,多數(shù)人(根據(jù)一些估計約為60%)會重復(fù)使用密碼。這意味著,一個網(wǎng)站的登錄細節(jié)可能會在更有價值的網(wǎng)站上使用:例如金融賬戶或人們的工作。結(jié)合從零售商獲取的以前的地址以及從雅虎或Facebook獲取的生日日期,這些密碼可能會被用來騙貸。
Second, the data sets can be added to “dictionaries” comprising actual dictionaries, tens of thousands of books and all of Wikipedia, which can be used to crack passwords.
其次,這些數(shù)據(jù)集合可以加入包括正規(guī)詞典、數(shù)萬冊書和維基百科(Wikipedia)全部內(nèi)容的“字典”,可以用來破解密碼。
If you are thinking: “I may use the same base password but I change it a bit for different websites”, well, I have a research paper for you. A group from the University of Illinois at Urbana-Champaign and elsewhere looked at the often simplistic changes people make. Using passwords for the same users from different leaks, they were able to guess almost a third of the transformed passwords within 100 or fewer attempts. Popular changes involved two to three appended characters. Keyboard sequence changes, capitalisation changes and “leet speak” — changing s to $, say — were also common.
如果你在想:“我可能會使用同樣的基礎(chǔ)密碼,但會在不同網(wǎng)站稍作改動”,好吧,這里有一份研究論文給你看。來自伊利諾伊大學(xué)香檳分校(University of Illinois at Urbana-Champaign)和其他機構(gòu)的研究人員考察了人們常常會做出的過分簡單的改動。利用來自不同網(wǎng)站泄密的同一用戶的密碼,他們能夠在100次或更少次嘗試后猜出近三分之一更改后的密碼。常見的更改包括后面加2到3個字符。鍵盤順序變化、大小寫變動以及“黑客文”(例如,把S變成$)也很常見。
Unfortunately, password strength meters aren’t much help as they underestimate hackers’ understanding of users’ habits.
不幸的是,密碼強度檢測工具幫助不大,因為它們低估了黑客對用戶習(xí)慣的了解。
In an ideal world, website owners would strengthen their own security to protect users. But if their customers use weak passwords — or reuse strong ones on other, less secure sites — there’s only so much they can do.
在理想世界中,網(wǎng)站所有者會增強網(wǎng)站安全以保護用戶。但如果它們的客戶使用不安全密碼,或在另一個不那么安全的網(wǎng)站重復(fù)使用高強度的密碼,它們能做的也就很有限了。
There is some encouragement to be had, though. University researchers from Pennsylvania tested whether people could correctly identify the more secure password among pairs, where “security” is “guessability” using cracking tools. Participants did reasonably well — identifying the benefits of capitals, digits and symbols in the middle of a password, and avoiding names.
然而,還是有一些可喜的事情。賓夕法尼亞州的大學(xué)研究人員測試了人們能否準確識別一對密碼中更安全的密碼,在這里,安全是指利用破解密碼工具的“可猜測性”。參與者的表現(xiàn)非常好,他們認識到密碼中間加入大寫字母、數(shù)字和符號會更安全,同時要避免使用名字。
However, they also overestimated the usefulness of appending digits, incorrectly selecting “astley123” as more secure than “astleyabc”. The former is easier to crack because of the pervasiveness of the pattern of appending digits — hence the problem with the variant of Poppy’s name.
然而,他們也高估了后綴數(shù)字的用處,他們不正確地認為“astley123”比“astleyabc”更安全。前者更容易破解,因為后綴數(shù)字模式很普遍,這就是“Poppy”名字后面加上數(shù)字的問題。
Participants also “underestimated the poor security properties of building a password around common keyboard patterns and common phrases”. They wrongly believed that “iloveyou88” is stronger than “ieatkale88” (which frankly seems like an excellent name for a dog).
參與者還“低估了根據(jù)常見的鍵盤模式和常見短語設(shè)置密碼的糟糕安全性”。他們錯誤地認為“iloveyou88”比“ieatkale88”(坦率的來說,這似乎是一個不錯的狗狗名字)更安全。
The researchers concluded that such misunderstandings, and poor password choices generally, stem from an underestimation of the risk of potential attacks and a lack of knowledge about how dangerously common certain construction techniques are. Which is not surprising, they note, as we don’t often see one another’s passwords. Unfortunately, hackers do.
研究人員總結(jié)稱,這些誤解以及不安全的密碼選擇,一般來自于對潛在攻擊風(fēng)險的低估和對某些密碼設(shè)置方法的普遍性和危險性缺乏認識。他們指出,這并不意外,因為我們不會經(jīng)??吹絼e人的密碼。不幸的是,黑客會經(jīng)常看到。