很多人不僅會(huì)重復(fù)使用密碼,而且經(jīng)常選擇自己的寵物加數(shù)字、或是連著的鍵盤字母作為密碼——對(duì)我們的密碼設(shè)置習(xí)慣,黑客可比我們自己要了解地更多。
測(cè)試中可能遇到的詞匯和知識(shí):
memorable顯著的,難忘的['mem(?)r?b(?)l]
leaked漏的[li:kt]
crummy微不足道的;寒酸的['kr?m?]
adultery通奸行為;外遇[?'d?lt(?)r?]
capitalisation市值(等于capitalization);資本化[,k?p?t?l?'ze??n]
By Lisa Pollack
The puppy’s name can be whatever you want,the father in the Bizarro comic tells his son,“but make sure it is something memorable. You’ll be using it as a security question answer for the rest of your life.”
Unfortunately the name given to the dog — say,Poppy — may or may not have been encrypted when it was leaked among details of 500m Yahoo accounts,which included the answers to security questions about first pets. The dog’s name was probably also used as a password at some point as people often use pets’names — maybe with a couple of numbers at the end.
“Poppy95”is not a secure password but it is fairly typical and it illustrates an uncomfortable fact: our crummy password construction is predictable. And with large breaches of popular websites,hackers are getting to know us better than ever.
People often pick animals(“monkey”),keyboard patterns(“zxcvbn”),dad jokes(“l(fā)etmein”),sports teams(“l(fā)iverpool”) and angst(“whatever”). All proved popular with users of the adultery site,Ashley Madison,hacked last year. In case you are thinking only adulterers use weak passwords,many of these also showed up in a leak from the Last.fm music service which surfaced more recently.
Both breaches — estimated at about 30m-40m each — are dwarfed by the 164m LinkedIn and 360m MySpace accounts that appeared in May.
Passwords are valuable to hackers in a couple of indirect ways. First,most people — about 60 per cent by some estimates — reuse passwords. This means the login details from one site can be tried out on more valuable sites — financial accounts,for example,or people’s work. And,combined with details such as previous addresses obtained from a retailer and a date of birth from the Yahoo hack or Facebook,they may be used to obtain credit fraudulently.
Second,the data sets can be added to“dictionaries”comprising actual dictionaries,tens of thousands of books and all of Wikipedia,which can be used to crack passwords.
If you are thinking:“I may use the same base password but I change it a bit for different websites”,well,I have a research paper for you. A group from the University of Illinois at Urbana-Champaign and elsewhere looked at the often simplistic changes people make. Using passwords for the same users from different leaks,they were able to guess almost a third of the transformed passwords within 100 or fewer attempts. Popular changes involved two to three appended characters. Keyboard sequence changes,capitalisation changes and“l(fā)eet speak” — changing s to $,say — were also common.
Unfortunately,password strength meters aren’t much help as they underestimate hackers’understanding of users’habits.
In an ideal world,website owners would strengthen their own security to protect users. But if their customers use weak passwords — or reuse strong ones on other,less secure sites — there’s only so much they can do.
There is some encouragement to be had,though. University researchers from Pennsylvania tested whether people could correctly identify the more secure password among pairs,where“security”is“guessability”using cracking tools. Participants did reasonably well — identifying the benefits of capitals,digits and symbols in the middle of a password,and avoiding names.
However,they also overestimated the usefulness of appending digits,incorrectly selecting“astley123”as more secure than“astleyabc”. The former is easier to crack because of the pervasiveness of the pattern of appending digits — hence the problem with the variant of Poppy’s name.
Participants also“underestimated the poor security properties of building a password around common keyboard patterns and common phrases”. They wrongly believed that“iloveyou88”is stronger than“ieatkale88”(which frankly seems like an excellent name for a dog).
The researchers concluded that such misunderstandings,and poor password choices generally,stem from an underestimation of the risk of potential attacks and a lack of knowledge about how dangerously common certain construction techniques are. Which is not surprising,they note,as we don’t often see one another’s passwords. Unfortunately,hackers do.
1.Why the son should remember the puppy’s name in the Bizarro comic?
A. the dog is with us our entire life
B. it should be taken seriously
C. it may be a security question answer
D. the name will be the password
答案(1)
2.What is the password“Poppy95”illustrating with?
A. crummy password construction is predictable
B. stolen password is fairly typical
C. crummy password is unsafe
D. people often use pets’names
答案(2)
3.How many percent of people are used to reuse passwords?
A. 30%
B. 40%
C. 60%
D. 80%
答案(3)
4.Which one of the following is not right about password?
A. “iloveyou88”is not stronger than“ieatkale88”
B. using names is more secure
C. “astley123”is easier to crack than“astleyabc”
D. customers are best not to use weak passwords
答案(4)
(1) 答案:C.it may be a security question answer
解釋:“這只小狗的名字你可以隨便取,”漫畫Bizarro中的父親告訴兒子,“但要確保能記住。因?yàn)槟阋惠呑佣家阉鳛榘踩珕栴}的答案?!?
(2) 答案:A.crummy password construction is predictable
解釋:“Poppy95”并非一個(gè)安全的密碼,但它相當(dāng)普遍,而且說(shuō)明了一個(gè)令人不安的事實(shí):我們隨隨便便的密碼結(jié)構(gòu)是可以預(yù)測(cè)的。
(3) 答案:C.60%
解釋:大概60%的人會(huì)重復(fù)使用密碼。這意味著,一個(gè)網(wǎng)站的登錄細(xì)節(jié)可能會(huì)在更有價(jià)值的網(wǎng)站上使用:例如金融賬戶或人們的工作。結(jié)合從零售商獲取的以前的地址以及從雅虎或Facebook獲取的生日日期,這些密碼可能會(huì)被用來(lái)騙貸。
(4) 答案:B.using names is more secure
解釋:密碼要避免使用名字但后綴數(shù)字的用處也被高估,因?yàn)楹缶Y數(shù)字模式很普遍,同時(shí)常見的鍵盤模式和常見短語(yǔ)設(shè)置密碼安全性也很差。