本文摘要:“The puppy’s name can bewhatever you want”, the father in the Bizarro comic tells his son, “but makesure it is something memorable. You’ll be using it as a security questionanswer for the rest of your life.”“这只小狗的名字你可以随意所取,”漫画Bizarro中的父亲告诉他儿子,“但要保证能忘记。


“The puppy’s name can bewhatever you want”, the father in the Bizarro comic tells his son, “but makesure it is something memorable. You’ll be using it as a security questionanswer for the rest of your life.”“这只小狗的名字你可以随意所取,”漫画Bizarro中的父亲告诉他儿子,“但要保证能忘记。因为你一辈子都要把它作为安全性问题的答案。

”Unfortunately the name givento the dog — say, Poppy — may or may not have been encrypted when it was leakedamong details of 500m Yahoo accounts, which included the answers to securityquestions about first pets. The dog’s name was probably also used as a passwordat some point as people often use pets’ names — maybe with a couple of numbersat the end.意外的是,在沦为遭泄漏的雅虎(Yahoo) 5亿账户细节(其中还包括有关你的第一只宠物的安全性问题的答案)之一时,这只狗的名字(例如Poppy)有可能早已加密,也有可能没加密。这只狗的名字也有可能被用于了密码,因为人们经常讨厌把宠物的名字用于密码,有可能后面不会再加两个数字。“Poppy95” is not a securepassword but it is fairly typical and it illustrates an uncomfortable fact: ourcrummy password construction is predictable. And with large breaches of popularwebsites, hackers are getting to know us better than ever.“Poppy95”并非一个安全性的密码,但它非常广泛,而且说明了一个令人不安的事实:我们随随便便的密码结构是可以预测的。

而且,随着一些颇受欢迎的网站遭遇大规模数据泄漏,黑客对我们的习惯理解得很。People often pick animals(“monkey”), keyboard patterns (“zxcvbn”), dad jokes (“letmein”), sports teams(“liverpool”) and angst (“whatever”). All proved popular with users of theadultery site, Ashley Madison, hacked last year. In case you are thinking onlyadulterers use weak passwords, many of these also showed up in a leak from theLast.fm music service which surfaced more recently.人们常常自由选择动物(monkey)、键盘模式(zxcvbn)、蹩脚笑话(letmein)、运动队(liverpool)和情绪(whatever)作为密码。事实证明,所有这些密码在去年遭黑客攻击的成人网站Ashley Madison用户中颇受欢迎。

如果你指出只有成人网站用户才用于这么不安全性的密码的话,你就拢了,其中很多还经常出现在最近才曝出的音乐服务网站Last.fm数据泄漏事件中。Both breaches — estimated atabout 30m-40m each — are dwarfed by the 164m LinkedIn and 360m MySpace accountsthat appeared in May.今年5月曝出的LinkedIn(1.64亿个账户)和MySpace(3.60亿个账户)泄露事件令其上述两起泄露事件(据估计泄露账户分别约3000万至4000万左右)相形见绌。Passwords are valuable tohackers in a couple of indirect ways. First, most people — about 60 per cent bysome estimates — reuse passwords. This means the login details from one site canbe tried out on more valuable sites — financial accounts, for example, orpeople’s work. And, combined with details such as previous addresses obtainedfrom a retailer and a date of birth from the Yahoo hack or Facebook, they maybe used to obtain credit fraudulently.密码对黑客很有价值,这展现出在两种间接的方式上。

首先,多数人(根据一些估算大约为60%)不会重复使用密码。这意味著,一个网站的指定细节可能会在更加有价值的网站上用于:例如金融账户或人们的工作。融合从零售商提供的以前的地址以及从雅虎或Facebook提供的生日日期,这些密码可能会被用来骗贷。Second, the data sets can beadded to “dictionaries” comprising actual dictionaries, tens of thousands ofbooks and all of Wikipedia, which can be used to crack passwords.其次,这些数据子集可以重新加入还包括正规化词典、数万册书和维基百科(Wikipedia)全部内容的“字典”,可以用来密码密码。


If you are thinking: “I mayuse the same base password but I change it a bit for different websites”, well,I have a research paper for you. A group from the University of Illinois atUrbana-Champaign and elsewhere looked at the often simplistic changes peoplemake. Using passwords for the same users from different leaks, they were ableto guess almost a third of the transformed passwords within 100 or fewerattempts. Popular changes involved two to three appended characters. Keyboardsequence changes, capitalisation changes and “leet speak” — changing s to $,say — were also common.如果你在想要:“我可能会用于某种程度的基础密码,但不会在有所不同网站稍加改动”,好吧,这里有一份研究论文给你看。来自伊利诺伊大学香槟分校(University of Illinois atUrbana-Champaign)和其他机构的研究人员实地考察了人们经常不会作出的过分非常简单的改动。


键盘顺序变化、大小写变动以及“黑客文”(例如,把S变为$)也很少见。Unfortunately, passwordstrength meters aren’t much help as they underestimate hackers’ understandingof users’ habits.意外的是,密码强度检测工具协助并不大,因为它们高估了黑客对用户习惯的理解。In an ideal world, websiteowners would strengthen their own security to protect users. But if theircustomers use weak passwords — or reuse strong ones on other, less secure sites— there’s only so much they can do.在理想世界中,网站所有者不会强化网站安全性以维护用户。但如果它们的客户用于不安全性密码,或在另一个不那么安全性的网站重复使用高强度的密码,它们能做到的也就很受限了。

There is some encouragement tobe had, though. University researchers from Pennsylvania tested whether peoplecould correctly identify the more secure password among pairs, where “security”is “guessability” using cracking tools. Participants did reasonably well —identifying the benefits of capitals, digits and symbols in the middle of apassword, and avoiding names.然而,还是有一些尚之信的事情。宾夕法尼亚州的大学研究人员测试了人们能否精确辨识一对密码中更加安全性的密码,在这里,安全性是指利用密码密码工具的“可猜测性”。参与者的展现出十分好,他们认识到密码中间重新加入大写字母、数字和符号不会更加安全性,同时要防止用于名字。


However, they alsooverestimated the usefulness of appending digits, incorrectly selecting“astley123” as more secure than “astleyabc”. The former is easier to crackbecause of the pervasiveness of the pattern of appending digits — hence theproblem with the variant of Poppy’s name.然而,他们也低估了后缀数字的用处,他们不正确地指出“astley123”比“astleyabc”更加安全性。前者更容易密码,因为后缀数字模式很广泛,这就是“Poppy”名字后面再加数字的问题。Participants also“underestimated the poor security properties of building a password aroundcommon keyboard patterns and common phrases”. They wrongly believed that“iloveyou88” is stronger than “ieatkale88” (which frankly seems like anexcellent name for a dog).参与者还“高估了根据少见的键盘模式和少见短语设置密码的差劲安全性”。他们错误地指出“iloveyou88”比“ieatkale88”(坦率的来说,这或许是一个不俗的狗狗名字)更加安全性。

The researchers concluded thatsuch misunderstandings, and poor password choices generally, stem from anunderestimation of the risk of potential attacks and a lack of knowledge abouthow dangerously common certain construction techniques are. Which is notsurprising, they note, as we don’t often see one another’s passwords.Unfortunately, hackers do.研究人员总结称之为,这些误会以及不安全性的密码自由选择,一般来自于对潜在反击风险的高估和对某些密码设置方法的普遍性和危险性缺少了解。他们认为,这并不车祸,因为我们会常常看见别人的密码。意外的是,黑客不会常常看见。