Quick: What’s your password? Is it 123456? Is it password? Is it abc123? Is it your first name? Surprisingly, for a large number of users, those are the types of words being picked to safeguard private accounts. Not surprisingly, that’s a bad thing.
快速:您的密码是多少? 是123456吗? 是密码吗? 是abc123吗? 是你的名字吗? 出乎意料的是,对于大量用户而言,这些是用来保护私人帐户的词语类型。 毫不奇怪,这是一件坏事。
About a week ago open source forum project phpBB had their site hacked. About 20,000 passwords from users of the site were published to the Internet. Though that’s definitely not a good thing, for security researchers it offered a unique opportunity to study how real users create passwords.
大约一周前,开源论坛项目phpBB 的网站被黑了 。 来自该站点用户的大约20,000个密码已发布到Internet。 尽管这绝对不是一件好事,但对于安全研究人员而言,它提供了一个独特的机会来研究真实用户如何创建密码。
Robert Graham, of Dark Reading, published some findings about the patterns used in the hacked passwords last week. The list of the top 20 passwords from the phpBB data set is not very encouraging. The number one password — used by over 3% of accounts — was ‘123456.’ Number two on the list was ‘password.’ Number three was ‘phpbb.’ In fact, almost all of the top 20 most used passwords were variations of those simple themes: numbers in sequential order, keyboard combinations (like ‘qwerty’), or common words or names.
《黑暗阅读》的罗伯特·格雷厄姆(Robert Graham)上周发表了一些有关被黑密码中使用的模式的发现 。 phpBB数据集中的前20个密码列表并不是很令人鼓舞。 超过3%的帐户使用的第一密码是“ 123456”。 名单上的第二名是“密码”。 第三名是“ phpbb”。 实际上,几乎前20个最常用的密码几乎都是这些简单主题的变体:顺序编号,键盘组合(例如“ qwerty”)或常用词或名称。
Graham found that between 65% and 94% of passwords were common dictionary words (the latter number being for dictionaries that include commonly used proper nouns, such as “Xbox” or “Pokemon”), and that on average, the words tended to be simple words like “apple” or “orange” rather than more complex words.
格雷厄姆发现,密码中有65%至94%是常用词典词(后者是包含常用专有名词(例如“ Xbox”或“ Pokemon”)的字典的密码),平均而言,该词倾向于简单的词(例如“苹果”或“橙色”),而不是更复杂的词。
16% of passwords matched a person’s first name. 14% of passwords were patterns on the keyboard. 4% were variations of the word “password.” 5% referenced pop-culture, and 4% likely described things nearby to the user when picking a password (such as “samsung,” “viewsonic,” or “compaq”).
16%的密码与一个人的名字匹配。 14%的密码是键盘上的图案。 4%是“ password”一词的变体。 5%的人引用流行文化,而4%的人在选择密码时可能在用户附近描述事物(例如“三星”,“ viewsonic”或“ compaq”)。
The passwords from the hacked phpBB accounts seem to demonstrate a similar pattern found in passwords from a similar breach at MySpace 2 years ago, in which about 34,000 user names and passwords were made public. The top twenty from that attack included password1, abc123, myspace1, password, qwerty1, 123abc, 123456, jordan23, and iloveyou1.
来自被入侵的phpBB帐户的密码似乎显示出一种类似的模式,这种模式在两年前MySpace的一次类似违规事件中被发现,其中大约34,000个用户名和密码被公开。 该次攻击的前20名包括password1,abc123,myspace1,password,qwerty1、123abc,123456,jordan23和iloveyou1。
The implications of this are that breaking into many user accounts, for those so inclined, might be a lot easier than people think if they’re using such insecure passwords. Coupled with a January 2008 study by digital communications agency @www that found that 61% of people use the same password for every account they own, you can begin to realize what a potentially huge problem this is.
这样做的含义是,对于那些倾向的用户而言,闯入许多用户帐户可能比人们认为如果使用这种不安全的密码要容易得多。 再加上数字通信机构@www在2008年1月进行的一项研究,发现61%的人为他们拥有的每个帐户使用相同的密码 ,您可以开始意识到这是一个潜在的巨大问题。
The reason for both the insecure passwords and the use of the same password over and over again is likely the same: password fatigue. People now have so many account credentials to remember, that it borders on the absurd. In order to keep track of so many different accounts, it appears that most people reuse the same passwords over and over, and often choose easy to remember, insecure phrases. That’s bad form and potentially puts their accounts at risk of being compromised more easily.
密码不安全以及一次又一次使用同一密码的原因可能是相同的: 密码疲劳 。 现在人们要记住的帐户凭据太多了,以至于荒谬。 为了跟踪这么多不同的帐户,大多数人似乎一遍又一遍地重复使用相同的密码,并经常选择易于记忆的不安全短语。 这种形式不好,可能会使他们的帐户更容易受到威胁。
One solution, of course, is OpenID. If OpenID were truly universally accepted, then one set of login credentials is all that people would need to remember. Of course, it also means that if your account were compromised, it would give the attacker access to everything at once (though given the current use patterns people exhibit, that’s already the case).
当然,一种解决方案是OpenID。 如果OpenID确实被普遍接受,那么人们将只需要记住一组登录凭据。 当然,这也意味着,如果您的帐户被盗用,它将使攻击者可以立即访问所有内容(尽管鉴于人们所展示的当前使用模式,情况已经如此)。
However, if people were to be educated in safe password practices and choose harder to discern random strings of letter, characters, and numbers, and change them often (monthly?), OpenID could make that process easier and more feasible. Thoughts?
但是,如果要对人们进行安全的密码操作方面的教育,并且难以选择识别字母,字符和数字的随机字符串,并经常更改它们(每月一次?),则OpenID可以使该过程更轻松,更可行。 有什么想法吗?
翻译自: https://www.sitepoint.com/passwords-most-people-do-it-wrong/
相关资源:jdk-8u281-windows-x64.exe