The more complex the network password, the better?

20 passwords in your head? There must be a simpler way. How do you get ahead of hackers-and not burn your brain?

This text cloud image shows the most commonly used passwords, where the larger the font, the higher the usage rate.

Let me guess: all the passwords you use on the Internet--online Banking, email, internet shopping, Twitter and Facebook login codes--are messy in your head. You also know very well that to visit different websites, you must choose a string of dissimilar, complex letters, numbers and symbols to make the password, and then recite it. (The wisdom of our ancestors teaches us code number one: Absolutely never write the code down.) But you don't really do that because you know your brain has no such ability. So you choose to use familiar words to register each site: For example, your dog, your home street name, plus a few temporary thought of the arrangement, such as "123" as the end.

It's also possible that you've actually complied with that code, so you often get locked up when you log into bank accounts, or you keep recalling the answers to all the absurd security questions. ("What was your favorite sport when you were a kid?" I was asked this question now, but my childhood favorite to do "sports" is to try to skip the PE class. Another problem with the itunes Store is asking customers what their "least favorite car" is. The most frightening thing is that in recent years, you will also be forced to set a letter mixed with the size of the password, can any normal person can remember such a multiple combinations of the arrangement? At least that one's not going to be you.

If you think your password is too bad, I have a reason to make you less guilty: Such a bad password is universal. Last month, an analysis of pin-password leaks revealed that about one-tenth of people would choose "1234" To do the password, and the recent Yahoo Network security breach has also revealed that thousands of user-set passwords are either "password"

"Welcome (Welcome)" "123456" or "Ninja (Ninja)". People always set up bad passwords, even to protect something more important than their own savings. Most of the military security experts know that at the height of the Cold War, the U.S. nuclear "unlock code" is 00000000. Five years ago, "News Night" also revealed: Before 1997, the British part of the key to the bomb lock, its essence is a bicycle lock. As for how to choose to let the warhead in the air or the ground explosion, as long as the IKEA hexagon wrench (Allen key) can be done. And these are not passwords at all. When confronted with an enemy attack, a quick counterattack is more important than anything else.

Our code is in jeopardy, and it has become an "arms race" for vicious hackers and "vinegar" security testers. But if you talk to the insiders, you know that the wisdom of the ancestors is questionable. As a counter example: it may be a good idea to write down your password. Some bosses will order their employees to change passwords 90 days, which may not be a security improvement, but rather cause trouble to themselves. The same thing happened to some banks in the password Setup specification: The password cannot exceed 12 characters, the space bar is not allowed, and so on. The hidden truth of all the rules is that passwords--as a way to protect people's personal data on the Internet--end up being fundamentally violated. I told Bill Cheswick, an experienced cyber-security researcher, to ask him if he could solve the problem once and for all Bill Cheswick. He thought for a moment and suggested, "Burn your computer and roll off the beach." "Although your brain may be a mess, there are ways to be safe and not lose your mind," he said. It's just that it's a little different from the way people taught you before.

Password cracking techniques in various forms, but the most important thing is not by devious, but by brute force attack. As an example: there is a hacker, he sneaked into a company's server, ready to steal a document, the document is written on the millions. This file (hopefully) is encrypted, so it is not possible for him to log into the account directly. Suppose the order in the file is "Hello" (not that simple, of course), and it will be encrypted in the file as a "$1$r6t8sub9$qxe41fjyf/3gkpiuvkoq90" character. He can not casually put this line of garbled untie, because he knew that the file is "one-way encryption." And what he can do is just add all the millions of possibilities to the same encryption algorithm to test until one of the passwords is just winning and the result is in line with the string of garbled characters. Only then did he know that he had found the password. (There is an additional encryption technology called "salting" that can block this attack, but it's not clear how many companies actually use it.) )

At this point, the length of the password can produce the effect you cannot imagine. Suppose that a hacker's computer can guess 1000 kinds of five-digit pure letter, completely random, all lowercase password combination every second, such as "Fpqzy", that need 3 hours 45 minutes to be able to crack success. Now as long as the password set to 20, the time to crack will naturally increase a bit: it will take 6.5 million trillion years.

Now there is a problem of artificial prediction. After all, no one can come up with a completely random combination of letters and numbers. Instead, people will follow some natural rules, such as using some existing words, and then replacing the letter O with the number 0, or following the last year. Hackers also know this, so their cracked software will synthesize these rules for guessing, effectively reducing time and quickly guessing targets. Each time, there is a new vulnerability in 1 million passwords, like the 2010 Gawker event and this year's Yahoo event "Note 1", and every time hackers can use this to effectively learn the new knowledge of people to set passwords, but also make it easier to crack passwords. You might think you're smart enough to think of an excellent way to set a password, but hackers are already familiar with the chest.

Therefore, the most impossible to crack the password is a long string of completely random letters, numbers, spaces and symbols, you really want to do so you can not back down. However, since the length is so important, you will find an astonishing fact: a long string of irregular English words, all in lowercase-say "awoken wheels angling ostrich (wake up, tires, fishing, ostrich)" than already very short, It is much safer to follow the bank's annoying passwords (like m@nch3st3r). And this password is better remembered, because you have built a picture in memory: A group of noisy tires awakened a fish in the river fishing ostrich, is not it? As the popular home to the comics "XKCD" published last year, the issue of a cartoon clearly pointed out that the argument: "After 20 years of effort, We successfully let each person to have a ' password set is a person can not remember, is the computer can guess ' good kung fu. ”

And the fact is worse than that.

Because the password is too difficult to remember, so people invented the "password recovery", in which the security problem is so simple that even hackers can answer. That's why 2008 Sarah Palin's personal mailbox for "2" was hacked: the intruder guessed her postal number and high school name. Another related flaw in the account recovery also led to a vicious hacking attack by Matt Honan Mat Honan, author of Wired magazine, "Note 3" in this August. Several hackers managed to occupy his Google account and, in his name, made racist remarks on Twitter, and emptied his laptop, mobile phone and all the information on his ipad remotely. Later one of the hackers through the network message to Honan, tell him that all this happens because the Amazon customer Service Hotline is happy to provide the four digits of his credit card account, and at Apple's client desk, the four-digit number can be used to reset his Apple icloud account password.

Some websites will let you use the passphrase (passphrase), which is the "fishing ostrich" that you just said. But most websites don't do that. In this case, many security experts believe that people should disregard the rules of the bank to write down the password. Their logic is simple: because you think it's very unreliable on paper, you'll think of a compromise, and you'll end up with the least secure password. (Similarly, some people will suggest, even ask you to change the password regularly, but in fact, you have to remember the more passwords, the more will be forced to choose a simple password. "I have 68 different passwords," Jesper Johansson, a Microsoft security expert, said at a conference a few years ago. "If they don't let me write it down, what do you think I'm going to do?" I'm sure I'll set the same password for all my accounts. "Password expert Brousse Schnell (Bruce Schneier) also advocates that people write passwords down. He pointed out that the vast majority of people in fact can properly keep a few pieces of paper safety. Whether your spouse or your roommate is trustworthy, this security issue is absolutely something you can speculate on. It is hard to predict whether the Russian hacker group will threaten your bank account.

I told Nier Aiken (Neil Aitken) that he was a spokesman for the British Payment Committee (which oversees the Trans-bank transfer system and connectivity network and other matters). He looked very calm after listening. The crux of the matter, he explains, is that the fraud Law forces bank clients to enforce some obligations. If you just protect your password, if someone steals the amount in your account, the law will assume you are "committing serious negligence" so that your money will be hard to find. "You can have one of the most difficult codes in the world, but if you tell someone, you're going to ruin the code." "The Committee strongly recommends that British clients not write down their passwords or tell their passwords to others," he said.

Both sides are at sixes and sevens. This is the trouble with the security problem: you have to weigh the pros and cons. The more convenient it is, the less secure it is, and the tighter the remote attack, the better the cunning roommate has the chance to swoop in. Are you willing to take the risk of being a little (albeit difficult to quantify) money, or putting yourself in a long-term password attack? The problem is complex enough to ask you, "What's your least favorite car?"

Bill Cheswick (Bill Cheswick, friends call him Chase Ches), like many people, believes that our society is in the midst of a code chaos. Unlike other people, he felt that he had to take a part in the responsibility. He collaborated in writing a book in 1994 as a member of At&t's virtual department, Bell Labs. The title is intriguing: "Firewall and network security: Repel cunning hackers". (He has put forward the concept of "proxy Server", which is one of the reasons why he is called "Half man and half God" in Internet circles. This book lays the foundation for modern network security. But now, he says, when we meet at a Manhattan café, the code becomes "a barbed wire! Who knows so much?" This topic always makes Cheswick lively, although he is usually a gushing and enthusiastic guy, but this time he will let the table people from his notebook to look at him. "There are so many rules!" You have to mix the symbols, the size, the numbers ...

Chase called these rules "Newt's eyes," because they were like potions ' recipes. Once in a while, he was too complacent to call these rules "fascist in the cipher World". "I have 25 different accounts, do I have to remember 25 different ' Newt's eye ' codes? It's not science!"

In addition, he says, it is becoming increasingly irrelevant to focus on the complexities of passwords, because the more serious threat is the keyboard recorder, a software that is secretly installed on your computer, that monitors the keyboard keys you press on the Web. "No matter how smart your password is, as long as I'm watching your keyboard, you're dead," he said. If you want to reduce risk, you can switch to a Mac, or upgrade an unsafe Windows XP system to Windows 7 and install anti-virus software. But the real safest approach is to never visit websites that carry malware. And, "If your grandson comes running to play with your computer, or if you're reading a junior high school son and entering an unsafe URL, you're done." "Similarly dangerous also has" phishing "attack, many media have hyped, is to send an email or the website to wrap very harmoniously, for instance it disguises as your bank's Landing webpage, by this deceives you to enter the password. (Anti-"fishing" is the most basic way to check your browser's address bar, hover over the link to ensure the authenticity of the link, and never in the mail reply to fill in the password sent back.) )

Maybe one day, we don't have to worry about these things, maybe later there will be innovation and development can completely replace the password. Touch screen technology may be used to detect the slightest difference between your interactions with your computer-the distance between your fingers, and the speed at which you click and drag the touch screen. In addition, a technician at Rutgers University in New Jersey has made a sample of the ring, which you wear on your finger, it will burst into tiny currents that can be transmitted to the screen through the user's skin to confirm the user's identity. Fingerprint recognition system has been embedded in some laptops, but because the technology still has too many problems, not yet received attention, but it can be improved. But don't be too quick to breathe. In the foreseeable future, "passwords will not go away," Cheswick said. "Although I very much hope that the password can disappear, but they are too convenient after all." ”

At the same time, he advised me to do one thing, even though I had been stunned by the research I had done to finish this article. He asked me to put in a software called a "password wallet", such as LastPass or 1Password. These software can generate a highly random set of passwords for each site you visit and save them with a master password. After I loaded the LastPass, I chose a very long sequence through it, containing English words and numbers. For example now I have no idea at all, and will never know what my email password is, but it doesn't matter, because LastPass can tell me the password at any time.

This is certainly not a perfect solution. But LastPass is safe in almost every aspect of the problem. Because it only encrypts and decrypts the user's own computer, and the software company does not know my master password, it means that if I forget the master password, no one can help me. (There is also no "password recovery" that requires security issues to be set.) And--yes--I wrote it down, put it in an encrypted form on a scrap of paper, and hid it carefully. I hope I can write down the code soon. After all, nothing is absolutely safe, let alone absolutely safe and absolutely convenient method is more impossible to exist, but I think this is a very compromise feasible way. I hope I don't forget where I hid the note.

"Note 1" Gawker is a famous star-tracking site. Gawker and Yahoo have burst into a security loophole.

"Note 2" Sarah Palin, who has long been active in American politics, was elected by Republican nominee John McCain as vice president in 2008, with a partner in the presidential election.

"NOTE 3" Wired is a well-known science and technology magazine around the world.