A study has shown that 1% of passwords can be guessed within 4 times.
How could it be? simple! Try four most common passwords. password,123456,12345678, and QWERTY, which opened the door of 1%.
Well, you're one of those 99%, but you also have to think about the speed of hacking software today. John the Ripper is a free hacker software that can test millions of passwords per second. There is also a commercial software used in the Criminal investigation field (in the seizure of the computer to find child pornography or terrorist information), claiming to test 2.8 billion passwords per second.
At first, cracking software runs a poor, often updated list of popular passwords, and then the entire dictionary, including all the common names, nicknames, and pet names. Now our users, under repeated humiliation and threats, have learned to add numbers, punctuation, and odd capitalization to our passwords, which is called "mangling". In theory, this makes it hard to guess a lot--in fact, the effect is far less good. Almost everyone's mind follows the familiar that has long been crushed. If the site requires a number in your password, the frequency of password to Password1 or password123 will surprise you. A password that requires that you have to be both uppercase and lowercase will produce password or password. The result of a special symbol must be password! and p@ssWOrd. Do you think $pider_man1 's code really looks so safe? Everyone thinks he is witty, and finally wit to go.
And there are reasons to worry that the site's forced restructuring will force users to use simple, well written passwords as a "foundation" for restructuring-because it is hard to remember. The security it brings is false.
RockYou Events
Our understanding of these stupid passwords is largely due to the rockyou.com security vulnerabilities of December 4, 2009, a Facebook game publisher. A hacker has released the account name and plaintext password of the 32,603,388-digit user of the website. There have been a lot of security vulnerabilities before and since, but the huge scale of this event makes it a key data group for cryptographic research-both for good people and for bad guys.
"123456" and "password" are very popular passwords.
The most popular password in rockyou.com is "123456", with the number of users up to 290731. There are many different passwords for people of all ages and genders, and for men under 30, many popular passwords come from sex and foul: Pussy,fuck,fucking,696969,asshole,fucker,horny,hooters,bigdick, Tits,boobs and other words rank in the forefront. Older people (men and women) are more likely to use old stems from popular culture in the past. "Epsilon793" was not a bad password-if it wasn't the code for Captain Picard in Star Trek: Next Generation. The seven-digit "8675309" is common to incredible degrees, as it is the telephone number of a popular song of the year.
Only the one who can't remember is safe?
Every new scheme in the Cryptography security field will inevitably lead to a comment by a spectator of the experts--in their view, any common password management behavior is useless. Many experts adhere to the "write down" principle, "very simple enough to resist the dictionary attack the long password has long to the extent that people can not remember, if people choose a long and complex, completely remember the password and then write on the paper, it is safe." "This is an ancient prophet in the digital age," said Bruce Schneier, a consultant at Brousse Chenair in 2005. "We're all very good at keeping small pieces of paper, and I suggest people write the code on the page and put that piece of paper together with other valuable paper--in the wallet," he said. ”
Even if you can write a password on a piece of paper, it's annoying to knock out a long, difficult password. Virtual keyboard for mobile devices? Good luck to you. The gap between expert advice and real-world scenarios is evident in my dad's approach--he writes the code on an instant sticker, and then puts the instant sticker next to the computer. The password is not complex, just a two-word phrase, no digits or strange punctuation. People in the real world not only choose unsafe passwords, they don't even remember the passwords.
And in the online roaming, many users like a snail left a string and a string of the same password trajectory. They will use the same password for each site, the risk? Go to hell. Some sites take users by the hand, forcing them to follow some nonsense password rules, and users have to modify their common passwords-and then they don't remember how to change the next time they log in.
So what kind of code is safe?
Creating a secure password is simply the simplest thing in the world: a string of completely random characters. It is impossible to achieve perfect randomness on your own mind, but you don't need to be so demanding yourself: many websites and applications can provide you with completely random passwords with ambient noise data. Here are some examples of the passwords I got on the random.org:
Vk54z6xg
Px7yzrm3
Nfdekysy
Fryvmwmk
Bvfqbrqb
Problem solving? For those who have delusions of persecution, or those who use fingerprint recognition to secure password management software, this is true. The rest of us can never hope to remember this pile of alphabet soup. They also say that each account must have a different password!
Most users care more about the convenience of passwords than they do about security, rather than experts. I don't know which side is more correct. Do you have an emergency room in your house? Ten is not, but those who are in the shelter will surely tell you how important this thing is. But before you run to the shelter, it may be a better choice to make sure that you always lock the front door.
Three kinds of threats to passwords
In reality, passwords are subject to threats from the following three areas: daily, group, and directional.
"Daily threat" refers to someone you know. Nosy colleagues or loved ones may want to log in to your account. They will guess your password (rather than brute force hacking software) by their understanding of you. The daily Snoop may know that your high school team is a wildcat (Wildcats) and then try the code, but WILDCATZ1 is probably enough to beat him.
"group threats" are like spam, not personal. Professional identity thieves are not specifically for your account to crack, he does not know your personal situation, his purpose is to bring together a set of cracked account password list, usually to be used to sell money. Password thieves use cracking tools to start with sites with lower security precautions-usually those that allow you to guess many times. This may be a Web site with no economic value, such as a gaming site. After the software is guessed right, it uses the same password and its variants to guess your more secure account, such as the bank.
"Directed threat" means a private investigator or detective who uses the software. If a trained person wants to hack into your account, if money, time (even the law) is on his side, he is likely to succeed. The only way to counter this is to use random passwords long enough to ensure that their search time is worth your life expectancy, or even longer.
Don't think you're not going to be the target, even small business rivals may be willing to spend resources to steal a laptop. It may also be possible for the other half of the high value in divorce cases to do so. Hackers may dislike a person's business or political stance. Twitter's entire station, has fallen, attention is not a user but the whole station, because only an administrator foolishly chose happiness as a password. A hacker found the password in a dictionary attack in 2009 and posted it on digital gangster, with the result that Twitter, the big account of Barack Obama, Spears, Facebook and Fox News, was stolen.
The problem of phrase memorizing method
As with all other things in life, fish and paws cannot be both, and you cannot have the highest security and the highest ease of use at the same time. One of the best of the common strategies is to turn a phrase or sentence into a password. You pick a word, a phrase, or a line of words, and use their initials as a password. For example, if you want to use may the force is with you (wish the force is with you) this sentence, the password is Mtfbwy.
But that's the best thing to do, and that's the problem. You must think of a movie, a song or a well-known sentence in South Park. Do you have a few eight-word phrases that can be memorized as they are? Not even a single sentence is more difficult to guess than a word. And very few people bother to reorganize the passwords generated by their sentences--they look very random!
An ideal password scheme will not fail even if everyone is using it. But if the formula is popular, all the popular cultural idioms will go into the common password list, and the software would try the passwords first. And idiom abbreviations are generally letters, which are more dangerous than multiple characters with the same length.
Some of the drawbacks of this approach can be solved. For example, never use a famous sentence. One way is to use private jokes. Remember what the waiter said to Brenda in the restaurant on Cozumel Island? You remember, Brenda, remember, maybe the waiter remembers, and no one else knows. If you choose this sentence as your code, then you are probably the only person on Earth who uses this sentence.
But the password itself is not so unique, it is not so sure. The initials of different sentences may also be the same, producing the same abbreviated password. Some letters are easier to become the first letter of a word, and hacker software can take advantage of this feature.
Reverse Phrase method
The best way to use password-sentence correspondence is to reverse the traditional scheme. Instead of looking for a sentence to turn it into a password (such a password would not be random), find a really random password and then turn it into a good sentence.
I used to use simple, stupid passwords. Later I was stolen, the site gave me a random number and letter composed of a temporary password, I was just ready to change it, suddenly realized that I do not have to, this random password I still remember to live.
Our brains are very good at finding rules in random data, and that's how we memorize phone numbers and ID numbers, and it's also used to memorize random passwords like Rpm8t4ka, which I just got on random.org. Although the password is indeed random, our eyes and brain can immediately find the rules of memory. For example, the first three letters of the password are uppercase, the last three letters are lowercase, the number 8 is twice times 4.
You can also easily memorize this password with a meaningless phrase, such as Rpm8t4ka, which becomes revolutions per minute,8 track for Kathy (RPM, to Casey 8 rails). I don't know what that means, but I know I can quite easily remember this sentence.
A strong password
I am using the principle of "a strong password". Given the importance of passwords in our lives, it's worth remembering a random string. You can remember your phone number, why not write a password?
Once you've found your strong password, "fight your way to protect it," Nick Berry, security expert Nick Berry. Do whatever it takes to keep your computer away from malware and use this password only on trusted and important sites. As for game sites and other unimportant sites, I will use a simple password that is completely different from this one.
There are so many ways to steal passwords that we have a reason to use different passwords on different websites. A custom scheme is to take the last letter of the name of the website and place the letter at the beginning of your password. For example, on Facebook, you put K at the beginning of the password, and it becomes a krpm8t4ka. Although this approach is not absolutely safe, it is not bad. That way, even if someone sees you typing Krpm8t4ka on Facebook, he knows nothing about how to get your bank code. A group of attackers collects thousands of passwords, as long as they can be used on other sites as part of the original, and the rest of them will probably not care.
There are no punctuation marks or non-ASCII characters in my strong password. In case there is a website that requires such characters, I will add a good note at the end of the symbol.
"Retrieve password"
Some identity thieves simply skip the password, pretending they are the user of a forgotten password, and then answering security questions. If they are right, they can change the password to what they want, and the legitimate user's information is not only being sold, they are unable to log in to their account.
By guessing that Sala Palin (Sarah Palin, American politician) had hacked into her mailbox the first time she met her husband in 2008, some four years later guessed that Mitt Romney (Mitt Romney, a U.S. politician) 's favorite pet had hacked into his account, Not only celebrities need to worry about these issues, anyone familiar with you can guess a lot of your security problems, and the hackers who don't know you have a list of popular answers to security questions-the most common pet names, old cars, and so on.
Recently, news reports often tout a coping strategy: using meaningless answers. For example, you use child slang to answer every question, or answer all questions with the same meaningless answer. Your mother was called Jimbob before her wedding, and your high school mascot was called Jimbob.
This method may be temporary, but if a lot of people use this method one day, it may fail-the "meaningless answer" you choose is likely to be as rigid as any other answer.
I always answer safety questions honestly. You don't often have security problems, and after many years, when you want to prove who you are, you don't want to forget the answer. Many sites will allow you to choose security issues, and I will choose the answers that are less common or not easily guessed by real answers.
Personal Identification Code (PIN)
The personal identification code is the kind of password that our bank card uses. It seems that no one has struggled to invent a secure pin code, and most ATMs in the world accept only 4 digits. China automatic teller machine usually uses 6 digits, but the principle is the same. I'm sure you can guess what the most common pin code is, but can you guess how many people are using it?
Nick Berry estimates that a full 11% of the world's people use 1234. The pin did not hit a few mass leaks, and hackers were less interested in it because the pin was useless without a physical card. So Berry's estimate is to pick out the four-digit passwords in all the exposed passwords, and he thinks that if someone uses 1967 as a password, it must be a bit of a number, and it will be used when you enter a PIN.
The second most common pin on the Bailey list is 1111 (6% chose it) and the third is 0000 (nearly 2%). In simple terms, this means that if an old con liar picks up your bank card, he has a 19% chance of guessing your pin within three times. (after three guesses, the average ATM will swallow the card.) )
The following are the 20 most common pin codes for berry:
1234,1111,0000,1212,7777,1004,2000,4444,2222,6969,9999,3333,5555,6666,1313,8888,4321,2001,1010.
All four-digit passwords appear inside. Don't forget, this is not a random experiment, this is a "I'm afraid I forgot this number, so I'd better pick a super super good memory of the number" experiment.
Berry has also found some less obvious patterns:
Year. All the most recent years, as well as several famous years (1492,1776, etc.), are at the forefront.
Number pairs. Many people pick a two-digit number and repeat it to get their password (1212,8787, etc.). The two-digit 10-digit and single digit is usually only 1.
2580. Some people probably want to use the keypad on the keyboard to play the way to get a random password bar ... Unfortunately, the only way to get a four-digit number is to go straight from the middle, 2580. This is the 22nd most common option on the Bailey list, which is estimated to be blamed by the inventor of the keypad, Alphonse de Nice (Chapanis).
1004. In Korean this number reads like "Angel". This led to a popular song: "Become My 1004". Obviously too many Koreans think that non-Koreans will not know this and make it a popular password at the same time.
It is important to pick a pin that is not on a common list. The least common pin is 8068, but I'm afraid you don't have to use it better ... I'll pick a 6, 7, 8, 9, or 0 start, with no obvious pattern. Don't use numbers that are personal, such as your birthday, your ID card, or your credit card number. These numbers are in your wallet, and losing your wallet is the most common way to lose your bank card.
Why do you bother?
Ordinary password, phrase password, memory Method--How much difference does it make? The difference is that a random character password is a safe gold standard. It is stronger than any human-chosen password. Even if everyone in the world chooses this scheme, it is still safe.
A random password of the right length is, in fact, not to be guessed by today's technology. It does not appear in the list of commonly used passwords. Group attackers can only guess random passwords by brute force search. With uppercase and lowercase letters and numbers, there are 62 different characters (not special symbols, because some sites are not allowed). This means that a 8-bit random password needs to be guessed 62^8 times to ensure a hit. This is to guess 22 trillion times.
This is actually enough to protect you from Internet attacks and to slow down directed attacks. If you admit that the current forensic code deciphering software can give 2.8 billion guesses per second, then it will take 22 hours to guess so, which is enough for most people-if you don't think so, you can simply add a few more characters.
But that's not to say that random passwords are invincible. It cannot be guessed, but it may still be stolen. Have you wasted your time in some web games like "Measuring Your Klingon name" (or a wizard name, Jewish name, pornographic movie star name, etc.) that will allow you to fill out your personal information? Some of them will also let you set a password. These sites are actually collecting your password because the other person knows that your password on this site is likely to be the same or similar to your password on another site. On the black market, the passwords collected could be about 20 dollars a month. Even the careful person will always be the same. Some High-tech malware can record every keystroke you knock down, and nosy people use low tech--peeking at your back with your password. Hackers can steal your password through the site's security vulnerabilities, which is completely unrelated to the complexity of the user's password.
The password is like the key of your house door, even if your home is a security door, but if the thief stole the key from your pocket, the door is just as unsafe as the ordinary door. Security is always the weakest link.
Summary: How to not be guessed by someone else your password?
Be prepared to remember a good strong password. Definitely worth it.
Go to the website (such as random.org) for a truly randomly generated password, listing five to 10 alternate passwords.
Pick a password that you can convert into a good phrase to remember by that phrase.
Use it only on important websites that matter about money.