黑客面前，你的密码有多脆弱？

05 黑客面前，你的密码有多脆弱？

上个月，雅虎证实，该公司遭遇了也许是史上最大规模的网络安全侵入，至少影响5亿账户。据BBC报道，Dropbox今年8月承认2012年该网站遭遇的黑客入侵事件影响到了超过6千8百万个账户。如今，数据泄露已是家常便饭，多起黑客事件提醒我们，在网络安全方面，我们做的远远不够。

“这只小狗的名字你可以随便取，”漫画Bizarro中的父亲告诉儿子，“但要确保能记住。因为你一辈子都要把它作为安全问题的答案。”

不幸的是，在成为遭到泄露的雅虎5亿账户细节（包括有关你的第一只宠物的安全问题答案）之一时，这只狗的名字（例如Poppy）可能没有加密。狗的名字也可能被用作了密码，因为人们常常喜欢把宠物的名字用作密码，也许后面会加上两个数字。

“Poppy95”并非一个安全的密码，但它相当普遍，而且说明了一个令人不安的事实：我们随随便便的密码结构是可以预测的。而且，随着一些颇受欢迎的网站遭遇大规模数据泄露，黑客对我们的习惯了如指掌。

令人担忧的密码安全

People often pick animals (“monkey”), keyboard patterns (“zxcvbn”), dad jokes (“letmein”), sports teams (“liverpool”) and angst (“whatever”).All proved popular with users of the adultery site, Ashley Madison, hacked last year.In case you are thinking only adulterers use weak passwords, many of these also showed up in a leak from the Last.fm music service which surfaced more recently.

人们经常选择动物（monkey）、键盘上字母的排列（zxcvbn）、蹩脚笑话（letmein）、运动队（liverpool）和一些焦虑的情绪（whatever）作为密码。事实证明，所有这些密码在去年遭到黑客攻击的成人网站Ashley Madison用户中颇受欢迎。如果你认为只有成人网站用户才使用这么不安全的密码的话，你就错了，其中很多还出现在最近才曝出的音乐服务网站Last.fm数据泄露事件中。

成人网站Ashley Madison去年曾遭黑客攻击

Most people reuse passwords.This means the login details from one site can be tried out on more valuable sites — financial accounts, for example, or people's work.And, combined with details such as previous addresses obtained from a retailer and a date of birth from the Yahoo hack or Facebook, they may be used to obtain credit fraudulently.

多数人会重复使用密码。这意味着，一个网站的登录信息可能会在更有价值的网站上使用：例如金融账户或工作网络。结合其他信息，比如从零售商处获取的以前的住址以及从雅虎或Facebook获取的生日日期，这些密码可能会被用来骗贷。

If you are thinking: “I may use the same base password but I change it a bit for different websites”, well, I have a research paper for you.A group from the University of Illinois at Urbana-Champaign and elsewhere looked at the often simplistic changes people make.Using passwords for the same users from different leaks, they were able to guess almost a third of the transformed passwords within 100 or fewer attempts.Popular changes involved two to three appended characters.Keyboard sequence changes, capitalisation changes and “leet speak” — changing s to $, say — were also common.

如果你在想：“我可能会用同样的基础密码，但会在不同网站稍作改动”，好吧，这里有一份研究论文给你看。来自伊利诺伊大学香槟分校和其他机构的研究人员考察了人们常常会做出的过分简单的改动。利用来自不同网站泄密的同一用户的密码，他们能够在100次或更少次尝试后猜出近三分之一更改后的密码。常见的更改包括后面加2到3个字符。键盘顺序变化、大小写变动以及“黑客文”（例如，把S变成$）也很常见。

Unfortunately, password strength meters aren't much help as they underestimate hackers' understanding of users' habits.In an ideal world, website owners would strengthen their own security to protect users.But if their customers use weak passwords — or reuse strong ones on other, less secure sites — there's only so much they can do.

不幸的是，密码强度检测工具帮助不大，因为它们低估了黑客对用户习惯的了解。在理想世界中，网站所有者会增强网站安全以保护用户。但如果它们的客户使用不安全密码，或在另一个不那么安全的网站重复使用高强度的密码，它们能做的也就很有限了。

什么样的密码才安全

There is some encouragement to be had, though.University researchers from Pennsylvania tested whether people could correctly identify the more secure password among pairs.Participants did reasonably well — identifying the benefits of capitals, digits and symbols in the middle of a password, and avoiding names.

然而，还是有一些可喜的事情。宾夕法尼亚州的大学研究人员测试了人们能否准确识别一对密码中更安全的密码。参与者的表现非常好，他们认识到密码中间加入大写字母、数字和符号会更安全，同时要避免使用名字。

However, they also overestimated the usefulness of appending digits, incorrectly selecting “astley123” as more secure than “astleyabc”.The former is easier to crack because of the pervasiveness of the pattern of appending digits

然而，他们也高估了后缀数字的用处，他们不正确地认为“astley123”比“astleyabc”更安全。前者更容易破解，因为后缀数字模式很普遍。

Participants also “underestimated the poor security properties of building a password around common keyboard patterns and common phrases”.They wrongly believed that “iloveyou88” is stronger than “ieatkale88” (which frankly seems like an excellent name for a dog).

参与者还“低估了根据常见的键盘字母排列和常见短语设置密码的低安全性”。他们错误地认为“iloveyou88”比“ieatkale88”（坦率来说，这似乎是一个不错的狗狗名字）更安全。

The researchers concluded that such misunderstandings, and poor password choices generally, stem from an underestimation of the risk of potential attacks and a lack of knowledge about how dangerously common certain construction techniques are.Which is not surprising, they note, as we don't often see one another's passwords.Unfortunately, hackers do.

研究人员总结称，这些误解以及不安全的密码选择，一般来自于对潜在攻击风险的低估和对某些密码设置方法的普遍性和危险性缺乏认识。他们指出，这并不意外，因为我们不会经常看到别人的密码。不幸的是，黑客会经常看到。

词汇总结

fraudulently ['frɔdjuləntli]

adv.欺骗地

They may be used to obtain credit fraudulently.

这些密码可能会被用来骗贷。

pervasiveness [pər'veɪsɪvnəs]

n.无处不在；广泛性；普遍性

appending [ə'pɛnd]

adj.附加的

v.附加；挂上（append的ing形式）

The former is easier to crack because of the pervasiveness of the pattern of appending digits

前者更容易破解，因为后缀数字模式很普遍。

security property安全属性

Participants also “underestimated the poor security properties of building a password around common keyboard patterns and common phrases”.

参与者还“低估了根据常见的键盘字母排列和常见短语设置密码的低安全性”。

try out试验；提炼；考验

This means the login details from one site can be tried out on more valuable sites

这意味着，一个网站的登录信息可能会在更有价值的网站上使用：例如金融账户或工作网络。