爱思英语编者按：设置开机密码、设置屏保密码、设置文件密码都是有益的一些保护措施，但也不能对密码的有效程度过分信赖，因为这些密码对于专业人员来说都是极易破解的。但对于一般办公环境来说，设置开机密码还是有相当作用的。

Computer passwords

电脑密码

Speak, friend, and enter

安全又易记的电脑密码？

http://www.24en.com/d/file/coop/ecocn/2012-03-27/3a7eb9812b45dd5cc13b6c6eb2b3d0a8.jpg

Computer passwords need to be memorable and secure. Most people’s are the first but not the second. Researchers are trying to make it easier for them to be both

电脑密码需要容易记忆，又需要安全。但人们往往注重前者，忽略后者。研究者们正在寻找能兼顾两者的办法

PASSWORDS are ubiquitous in computer security. All too often, they are also ineffective. A good password has to be both easy to remember and hard to guess, but in practice people seem to plump for the former over the latter. Names of wives, husbands and children are popular. Some take simplicity to extremes: one former deputy editor of The Economist used “z” for many years. And when hackers stole 32m passwords from a social-gaming website called RockYou, it emerged that 1.1% of the site’s users—365,000 people—had opted either for “123456” or for “12345”.

密码在电脑安全防护中是无处不在的，但它们却常常起不到保护作用。好的密码必须容易记忆又不易破解，可是人们在应用中似乎更注重于容易记忆，而非不易破解。妻子、丈夫和子女的名字被广泛用于密码中。还有些人把密码设置得极为简单，如《经济学人》一位前任副主编多年来用一个字母“Z”作密码。曾经有黑客从一个叫“RockYou”的社交游戏网站偷盗了3200万密码，结果发现：这个网站1.1%的用户（36.5万人）使用的密码是“123456”或“12345”。

That predictability lets security researchers (and hackers) create dictionaries which list common passwords, a boon to those seeking to break in. But although researchers know that passwords are insecure, working out just how insecure has been difficult. Many studies have only small samples to work on—a few thousand passwords at most. Hacked websites such as RockYou have provided longer lists, but there are ethical problems with using hacked information, and its availability is unpredictable.

根据密码设置的可预见性，电脑安全研究者（以及黑客）编制了常用密码辞典，这给那些试图破解密码的人提供了方便。但是，虽然研究者知道密码是不安全的，却很难弄清楚不安全的程度到低有多高。因为很多研究使用的样本太小，最多也就是几千个密码。像“RockYou”这样被入侵的网站提供了比较大的样本，但是在使用这类信息时有道德方面的问题，而且这类信息也是偶然才被披露的。

However, a paper to be presented at a security conference held under the auspices of the Institute of Electrical and Electronics Engineers, a New York-based professional body, in May, sheds some light. With the co-operation of Yahoo!, a large internet company, Joseph Bonneau of Cambridge University obtained the biggest sample to date—70m passwords that, though anonymised, came with useful demographic data about their owners.

然而，在一篇提交给某电脑安全研讨会的论文中，作者披露了一些过去不为人知的有关密码的真相。这个研讨会是纽约一个专业团体“电子和电气工程师协会”组织的。牛津大学的约瑟夫•邦努和互联网公司雅虎合作，得到了迄今为止最大的、包括7千万密码的样本。虽然样本中的用户都是匿名的，但还是揭示了这些用户的很多有用信息。

Mr Bonneau found some intriguing variations. Older users had better passwords than young ones. (So much for the tech-savviness of youth.) People whose preferred language was Korean or German chose the most secure passwords; those who spoke Indonesian the least. Passwords designed to hide sensitive information such as credit-card numbers were only slightly more secure than those protecting less important things, like access to games. “Nag screens” that told users they had chosen a weak password made virtually no difference. And users whose accounts had been hacked in the past did not make dramatically more secure choices than those who had never been hacked.

邦努先生发现了一些很有意思的现象。如年龄较大的用户比年轻顾客的密码安全度要高（那些谙熟技术的年轻人不在意这些事）。说韩语和德语的用户的密码安全度最高，说印尼语的用户的密码安全度最低。与保护敏感信息如信用卡号码有关的密码只比不太重要的游戏用户密码等安全度略高一点儿。用户注册时出现的密码安全度的提示实际上不起什么作用。那些账户曾被入侵过的用户在重置密码时，并不比那些没遇到过问题的用户谨慎多少。

But it is the broader analysis of the sample that is of most interest to security researchers. For, despite their differences, the 70m users were still predictable enough that a generic password dictionary was effective against both the entire sample and any demographically organised slice of it. Mr Bonneau is blunt: “An attacker who can manage ten guesses per account…will compromise around 1% of accounts.” And that, from the hacker’s point of view, is a worthwhile outcome.

但是最使电脑安全研究者们感兴趣的还是对样本的总的评估。尽管各个用户组的情况有所不同，但这7千万用户的密码从总体上说仍然具有高度的可预测性，无论是对于整个样本来说，还是对于各个用户组来说，都可以编制出可以有效地用于破解密码的词典。邦努先生很坦率地说：“黑客猜测十次就可以破解的密码，大约占到总样本的1%。”这在黑客看来是一个相当理想的结果。

One obvious answer would be for sites to limit the number of guesses that can be made before access is blocked, as cash machines do. Yet whereas the biggest sites, such as Google and Microsoft, do take such measures (and more), many do not. A sample of 150 big websites examined in 2010 by Mr Bonneau and his colleague Sören Preibusch found that 126 made no attempt to limit guessing.

一个明显有效的措施，是在密码输入一定次数仍不正确后，禁止登录网站，就像取钱机实行的办法。虽然一些超大的网站如谷歌和微软等采取了这样的措施（以及其它一些措施），但很多网站并没有这样做。邦努先生和他的同事在2010年调查了150个大型网站，其中有126个没有猜测次数的限制。

How this state of affairs arose is obscure. For some sites, laxity may be rational, since their passwords are not protecting anything particularly valuable, such as credit-card details. But password laxity imposes costs even on sites with good security, since people often use the same password for several different places.

产生这种状况的原因尚不明了。对于有些网站来说，因为没有什么特别有价值的东西如信用卡信息需要保护，密码安全可能不是一个十分重要的问题。但是对密码安全的宽松态度会给那些安全性能好的网站也带来问题，因为人们通常在若干不同的网站使用同样的密码。

One suggestion is that lax password security is a cultural remnant of the internet’s innocent youth—an academic research network has few reasons to worry about hackers. Another possibility is that because many sites begin as cash-strapped start-ups, for which implementing extra password security would take up valuable programming time, they skimp on it at the beginning and then never bother to change. But whatever the reason, it behoves those unwilling to wait for websites to get their acts together to consider the alternatives to traditional passwords.

有一种观点认为，在密码安全上的宽松态度是互联网幼年时期留下的文化遗产，因为那时的学术研究网络不需要忧虑黑客入侵。还有的认为，很多网站创立之初资金短缺，在电脑安全上采取额外措施会花费大量的程序编制时间。所以它们在开始时省略了这个步骤，以后也再也没有费神去补救。不管是什么原因，这种情况使一些人不愿再等待网站采取措施，而是思考替代传统密码的一些办法。

Skysail dactyl gimcrack golem

One such is multi-word passwords called passphrases. Using several words instead of one means an attacker has to guess more letters, which creates more security—but only if the phrase chosen is not one likely to turn up, through familiar usage, in a dictionary of phrases. Which, of course, it often is.

天帆•平仄•廉价•泥人（Skysail dactyl gimcrack golem）

其中一种替代方法是使用多词密码，称之为“联词口令”（passphrases）。在密码中使用几个词而不只是一个词，使黑客必须猜测更多的字母，这就提高了密码的安全度。但前提是，选取的联词不会被熟练使用某种联词字典的人所破解，而这种可能性总是存在的。

Mr Bonneau and his colleague Ekaterina Shutova have analysed a real-world passphrase system employed by Amazon, an online retailer that allowed its American users to employ passphrases between October 2009 and February 2012. They found that, although passphrases do offer better security than passwords, they are not as good as had been hoped. A phrase of four or five randomly chosen words (for instance, the headline above) is fairly secure. But remembering several such phrases is no easier than remembering several randomly chosen passwords. Once again, the need for memorability is a boon to attackers. By scraping the internet for lists of things like film titles, sporting phrases and slang, Mr Bonneau and Dr Shutova were able to construct a 20,656-word dictionary that unlocked 1.13% of the accounts in Amazon’s database.

邦努先生和他的同事埃克特丽娜•舒托瓦曾经分析了网购商亚马逊所使用的联词口令系统，亚马逊在2009年10月到2012年2月容许它的美国用户使用这个系统。他们发现，虽然联词口令比密码的安全度确实高些，但并不像预期的那样理想。由四五个随机选取的词组成的口令（像上面小标题那样的联词）确实相当安全，但是要记住它比记住几个随机选取的密码还难。这又一次说明，人们对容易记忆的需要总是使黑客有机可乘。通过搜寻互联网上的词语如电影名字、体育用语和俗语等，邦努先生和舒托瓦编篡了一个包括20656个词的字典，借助这个字典，亚马逊数据库中1.13%的用户口令可以被破解。

The researchers also suspected that even those who do not use famous phrases would still prefer patterns found in natural language over true randomness. So they compared their collection of passphrases with two-word phrases extracted at random from the British National Corpus (a 100m-word sample of English maintained by Oxford University Press), and from the Google NGram Corpus (harvested from the internet by that firm’s web-crawlers). Sure enough, they found considerable overlap between structures common in ordinary English and the phrases chosen by Amazon’s users. Some 13% of the adjective-noun constructions (“beautiful woman”) which the researchers tried were on the money, as were 5% of adverb-verb mixes (“probably keep”).

研究者们还推测，即便那些不使用著名词语的人，仍然会倾向于使用在日常语言中常见的搭配模式，因而不是完全随机的。他们从“英国全国语料库”（牛津大学出版社编篡的包括一亿单词的语库）和谷歌的“N元组”语料库（NGram Corpus，从谷歌的网站浏览者用语中收集）随机抽取二联词，与亚马逊样本的联词口令进行了对比。果不其然，大众英语中常见的单词搭配方式与亚马逊用户选取的联词方式有很多重合之处。在研究者测试的形容词-名词组合（如“漂亮女人”）中，约13%是重合的；副词-动词组合（如“大概保持”）的重合率也有5%。

One way round that is to combine the ideas of a password and a passphrase into a so-called mnemonic password. This is a string of apparent gibberish which is not actually too hard to remember. It can be formed, for example, by using the first letter of each word in a phrase, varying upper and lower case, and substituting some symbols for others—“8” for “B”, for instance. (“itaMc0Ttit8” is thus a mnemonic contraction of the text in these brackets.) Even mnemonic passwords, however, are not invulnerable. A study published in 2006 cracked 4% of the mnemonics in a sample using a dictionary based on song lyrics, film titles and the like.

解决这个问题的办法之一是，综合密码和连词口令的各自优点，创造一种“易记密码”。它看起来像是一串毫无意义的字母或符号，但实际上并不难记忆。如，抽取一个句子中每个字的首位字母，区分大小写，并用一些符号替换字母（如用1替换y），我们可以得到这样一个易记密码：wXhf1（我喜欢翻译）。不过，易记密码也并不是无懈可击的，2006年发表的一项研究说，借助一本根据歌词、电影名字等编篡的字典，一个易记密码样本中4%的密码被破解。

The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple. While that tension persists, the hacker will always get through.

这个问题可能永远没有正确答案。任何安全措施都是烦人的（经常坐飞机的人都知道），人们希望安全，但又希望什么事都简单易行，这两者总是冲突。只要这个冲突存在，黑客总是有机可乘。