小狗的名字 看你的密碼有多脆弱

“The puppy’s name can bewhatever you want”, the father in the Bizarro comic tells his son, “but makesure it is something memorable. You’ll be using it as a security questionanswer for the rest of your life.”

“這隻小狗的名字你可以隨便取，”漫畫Bizarro中的父親告訴兒子，“但要確保能記住。因爲你一輩子都要把它作爲安全問題的答案。”

Unfortunately the name givento the dog — say, Poppy — may or may not have been encrypted when it was leakedamong details of 500m Yahoo accounts, which included the answers to securityquestions about first pets. The dog’s name was probably also used as a passwordat some point as people often use pets’ names — maybe with a couple of numbersat the end.

不幸的是，在成爲遭到泄露的雅虎(Yahoo) 5億賬戶細節（其中包括有關你的第一隻寵物的安全問題的答案）之一時，這隻狗的名字（例如Poppy）可能已經加密，也可能沒有加密。這隻狗的名字也可能被用作了密碼，因爲人們常常喜歡把寵物的名字用作密碼，可能後面會加上兩個數字。

“Poppy95” is not a securepassword but it is fairly typical and it illustrates an uncomfortable fact: ourcrummy password construction is predictable. And with large breaches of popularwebsites, hackers are getting to know us better than ever.

“Poppy95”並非一個安全的密碼，但它相當普遍，而且說明了一個令人不安的事實：我們隨隨便便的密碼結構是可以預測的。而且，隨着一些頗受歡迎的網站遭遇大規模數據泄露，黑客對我們的習慣瞭解得很。

People often pick animals(“monkey”), keyboard patterns (“zxcvbn”), dad jokes (“letmein”), sports teams(“liverpool”) and angst (“whatever”). All proved popular with users of theadultery site, Ashley Madison, hacked last year. In case you are thinking onlyadulterers use weak passwords, many of these also showed up in a leak from music service which surfaced more recently.

人們經常選擇動物（monkey）、鍵盤模式（zxcvbn）、蹩腳笑話（letmein）、運動隊（liverpool）和焦慮（whatever）作爲密碼。事實證明，所有這些密碼在去年遭到黑客攻擊的成人網站Ashley Madison用戶中頗受歡迎。如果你認爲只有成人網站用戶才使用這麼不安全的密碼的話，你就錯了，其中很多還出現在最近才曝出的音樂服務網站數據泄露事件中。

Both breaches — estimated atabout 30m-40m each — are dwarfed by the 164m LinkedIn and 360m MySpace accountsthat appeared in May.

今年5月曝出的LinkedIn（1.64億個賬戶）和MySpace（3.60億個賬戶）泄密事件令上述兩起泄密事件（據估計泄密賬戶分別達3000萬至4000萬左右）相形見絀。

Passwords are valuable tohackers in a couple of indirect ways. First, most people — about 60 per cent bysome estimates — reuse passwords. This means the login details from one site canbe tried out on more valuable sites — financial accounts, for example, orpeople’s work. And, combined with details such as previous addresses obtainedfrom a retailer and a date of birth from the Yahoo hack or Facebook, they maybe used to obtain credit fraudulently.

密碼對黑客很有價值，這表現在兩種間接的方式上。首先，多數人（根據一些估計約爲60%）會重複使用密碼。這意味着，一個網站的登錄細節可能會在更有價值的網站上使用：例如金融賬戶或人們的工作。結合從零售商獲取的以前的地址以及從雅虎或Facebook獲取的生日日期，這些密碼可能會被用來騙貸。

Second, the data sets can beadded to “dictionaries” comprising actual dictionaries, tens of thousands ofbooks and all of Wikipedia, which can be used to crack passwords.

其次，這些數據集合可以加入包括正規詞典、數萬冊書和維基百科(Wikipedia)全部內容的“字典”，可以用來破解密碼。

If you are thinking: “I mayuse the same base password but I change it a bit for different websites”, well,I have a research paper for you. A group from the University of Illinois atUrbana-Champaign and elsewhere looked at the often simplistic changes peoplemake. Using passwords for the same users from different leaks, they were ableto guess almost a third of the transformed passwords within 100 or fewerattempts. Popular changes involved two to three appended characters. Keyboardsequence changes, capitalisation changes and “leet speak” — changing s to $,say — were also common.

如果你在想：“我可能會使用同樣的基礎密碼，但會在不同網站稍作改動”，好吧，這裏有一份研究論文給你看。來自伊利諾伊大學香檳分校(University of Illinois atUrbana-Champaign‎)和其他機構的研究人員考察了人們常常會做出的過分簡單的改動。利用來自不同網站泄密的同一用戶的密碼，他們能夠在100次或更少次嘗試後猜出近三分之一更改後的密碼。常見的更改包括後面加2到3個字符。鍵盤順序變化、大小寫變動以及“黑客文”（例如，把S變成$）也很常見。

Unfortunately, passwordstrength meters aren’t much help as they underestimate hackers’ understandingof users’ habits.

不幸的是，密碼強度檢測工具幫助不大，因爲它們低估了黑客對用戶習慣的瞭解。

In an ideal world, websiteowners would strengthen their own security to protect users. But if theircustomers use weak passwords — or reuse strong ones on other, less secure sites— there’s only so much they can do.

在理想世界中，網站所有者會增強網站安全以保護用戶。但如果它們的客戶使用不安全密碼，或在另一個不那麼安全的網站重複使用高強度的密碼，它們能做的也就很有限了。

There is some encouragement tobe had, though. University researchers from Pennsylvania tested whether peoplecould correctly identify the more secure password among pairs, where “security”is “guessability” using cracking tools. Participants did reasonably well —identifying the benefits of capitals, digits and symbols in the middle of apassword, and avoiding names.

然而，還是有一些可喜的事情。賓夕法尼亞州的大學研究人員測試了人們能否準確識別一對密碼中更安全的密碼，在這裏，安全是指利用破解密碼工具的“可猜測性”。參與者的表現非常好，他們認識到密碼中間加入大寫字母、數字和符號會更安全，同時要避免使用名字。

However, they alsooverestimated the usefulness of appending digits, incorrectly selecting“astley123” as more secure than “astleyabc”. The former is easier to crackbecause of the pervasiveness of the pattern of appending digits — hence theproblem with the variant of Poppy’s name.

然而，他們也高估了後綴數字的用處，他們不正確地認爲“astley123”比“astleyabc”更安全。前者更容易破解，因爲後綴數字模式很普遍，這就是“Poppy”名字後面加上數字的問題。

Participants also“underestimated the poor security properties of building a password aroundcommon keyboard patterns and common phrases”. They wrongly believed that“iloveyou88” is stronger than “ieatkale88” (which frankly seems like anexcellent name for a dog).

參與者還“低估了根據常見的鍵盤模式和常見短語設置密碼的糟糕安全性”。他們錯誤地認爲“iloveyou88”比“ieatkale88”（坦率的來說，這似乎是一個不錯的狗狗名字）更安全。

The researchers concluded thatsuch misunderstandings, and poor password choices generally, stem from anunderestimation of the risk of potential attacks and a lack of knowledge abouthow dangerously common certain construction techniques are. Which is notsurprising, they note, as we don’t often see one another’s rtunately, hackers do.

研究人員總結稱，這些誤解以及不安全的密碼選擇，一般來自於對潛在攻擊風險的低估和對某些密碼設置方法的普遍性和危險性缺乏認識。他們指出，這並不意外，因爲我們不會經常看到別人的密碼。不幸的是，黑客會經常看到。