For all its benefits, the Internet can be a hassle when it comes to remembering passwords for email, banking, social networking and shopping.
Many people use just a single password across the Web. That's a bad idea, say online-security experts.
'Having the same password for everything is like having the same key for your house, your car, your gym locker, your office,' says Michael Barrett, chief information-security officer for online-payments service PayPal, a unit of eBay Inc.
Mr. Barrett has different passwords for his email and Facebook accounts─and that's just for starters. He has a third password for financial websites he uses, such as for banks and credit cards, and a fourth for major shopping sites such as Amazon.com. He created a fifth password for websites he visits infrequently or doesn't trust, such as blogs and an online store that sells gardening tools.
A spate of recent attacks underscores how hackers are spending more time trying to crack into big databases to obtain passwords, security officials say. In April, for instance, hackers obtained passwords and other information of 77 million users in Sony Corp.'s PlayStation Network, while Google Inc. said this month that hackers broke into its email system and gained passwords of U.S. government officials.
So-called brute force attacks, by which hackers try to guess individual passwords, also appear to be on the rise, Mr. Barrett says.
PayPal says two out of three people use just one or two passwords across all sites, with Web users averaging 25 online accounts. A 2009 survey in the U.K. by security-software company PC Tools found men to be particularly bad offenders, with 47% using just one password, compared with 26% of women.
Another PC Tools survey last year showed that 28% of young Australians from 18 to 38 years old had passwords that were easily guessed, such as a name of a loved one or pet, which criminals can easily find on Facebook or other public sites. Other passwords can be easily guessed, too. Hackers last year posted a list of the most popular passwords of Gawker Media users, including 'password,' '123456,' 'qwerty,' 'letmein' and 'baseball.'
'If your password is on that list, please change it,' says Brandon Sterne, security manager at Mozilla Corp., which makes the Firefox browser and other software. Hackers 'will take the first 100 passwords on the list and go through the entire user base' of a website to crack a few accounts, he says.
People typically start changing online passwords after they've been hacked, says Dave Cole, general manager of PC Tools. However, 'after a relatively short time, all but the most paranoid users regress to previous behaviors prior to the security breach,' he says. He and other security experts recommend people change or rotate passwords a few times a year.
To come up with a strong password, some security officials recommend taking a memorable phrase and using the first letter of each word. For example, 'to be or not to be, that is the question,' becomes 'tbontbtitq.' Others mash an unlikely pair of words together. The longer the password─at least eight characters, experts say─the safer it is.
Once people figure out a phrase for their password, they can make it more complex by replacing letters with special characters or numbers. They can also capitalize, say, the second character of every password for added security. Hence 'tbontbtitq' becomes 'tB0ntbtitq.'
No matter how good a password is, it is unsafe to use just one. Mr. Barrett recommends following his lead and having strong ones for four different kinds of sites─email, social networks, financial institutions and e-commerce sites─and a fifth for infrequently visited or untrustworthy sites.
Even the strongest passwords, however, are useless if criminals install so-called malware on computers that allow them to track a person's keystrokes. Security experts say people can avoid this by keeping their antivirus and antispyware software updated and by avoiding downloading files from unknown websites and email senders.
Some security experts recommend slightly modifying passwords within each category of site. Companies such as Microsoft Corp. offer free password-strength checkers, but users shouldn't rely on them wholly because such strength tests don't gauge whether a password contains easily found personal information, such as a birthday or a pet's name.
It's especially important to have a separate password for an email account, says Mozilla's Mr. Sterne. Many sites have 'Forgot my password' buttons that, when clicked, initiate a password-recovery process by email. Hackers who break into an email account can then intercept those emails and take control of each account registered using that address.
Some websites, such as Google and Facebook, now let people register a phone number along with their account. If a person forgets his passwords, the sites reset the passwords by calling or sending a text message to that person.
Mr. Barrett says people should be able to remember four or five good passwords. If not, they can write them down on a piece of paper and stick it in their wallet, and then throw the cheat sheet away once all the passwords are memorized.
People who still struggle to remember them all can use a password manager. Several, such as LastPass, are free. LastPass prompts users to create a master password and then generates and stores random passwords for different sites. Some security experts warn against using managers that store passwords remotely, but LastPass Chief Executive Joe Siegrist says hackers can't access the passwords because all data is encrypted.
The worst thing that people can do after creating their different passwords: Put it on a sticky note by their monitor. 'That defeats the entire purpose,' says Mr. Sterne.
Heather O'Neill, a 27-year-old tech-company employee in San Francisco, had her Google email account broken into earlier this year. She says she used the same password for several sites, and that it was a weak one.
'I can't have one password for everything,' she says. 'Everything is going to be different.'
参考译文:
尽管互联网有种种优点,但记忆电子邮件、网上银行、社交网络和购物网站的密码却让人头疼。
许多人上网时只使用一个密码。网络安全专家说,这是个坏习惯。
线上支付服务公司PayPal(eBay的子公司)的首席信息安全长迈克尔?巴雷特(Michael Barrett)说,“所有地方都用同一个密码,就好比给你的房子、车子、健身房更衣室和办公室配同一把钥匙。”
巴雷特的电子邮件和Facebook帐户用的是不同的密码——这仅仅是开始。他的第三个密码用于金融网站——比如银行和信用卡的密码,第四个密码用于主要的购物网站,例如亚马逊(Amazon.com)。他还为自己不常访问或不信任的网站设置了第五个密码,例如博客和出售园艺工具的线上商店。
安全专家称,最近接连发生的网络攻击表明黑客正在花更多时间攻入大型数据库以获取密码。例如,今年4月,黑客获得了索尼公司(Sony Corp.)PlayStation Network的7,700万使用者的密码及其他信息。6月,谷歌公司(Google Inc.)表示,黑客攻入了该公司的电子邮件系统,并获得了美国政府官员的密码。
巴雷特说,所谓的暴力破解攻击,即黑客试图猜出个人密码的行为,似乎也正在增加。
PayPal称,每三个人中,就有两个人在所有网站上只用一、两个密码,而网络使用者人均拥有25个网络帐户。安全软件公司PC Tools 2009年在英国进行的一项调查发现,男性在这方面做得尤其糟糕,47%的男性只用一个密码,相比之下,只用一个密码的女性比例为26%。
去年PC Tools做的另一项调查显示,在18岁至38岁的澳大利亚年轻人中,28%的人拥有的密码很容易被猜中,例如爱人或宠物的名字,而犯罪分子可以很容易地从Facebook或其他公共网站上获得这种信息。还有些密码也很容易猜中。去年,黑客们发贴公布了一份Gawker Media使用者最常用的密码名单,包括“password”(密码)、“123456”、“qwerty”、“letmein”(让我进去)和“baseball”(棒球)。
Mozilla Corp.的安全经理布兰登?斯特恩(Brandon Sterne)说,“如果你的密码在这张名单上,请尽快更改。”该公司的产品包括火狐(Firefox)流览器和其他软件。他说,黑客“会使用名单上的前100个密码攻击网站上的所有使用者数据库”,以攻破一部分帐户。
PC Tools的总经理戴夫?科尔(Dave Cole)说,人们通常会在受到黑客攻击后开始更改网络密码。然而,他说,“在短时间后,除了最谨慎多疑的使用者以外,所有使用者都会回归到被黑之前的行为。”他和其他安全专家建议人们每年更改或轮换几次密码。
要想设置出强大的密码,有些安全专家建议,可以先选择一个好记的短语,然后用这个短语中每个词的首字母作为密码。比如,选择“to be or not to be, that is the question”,每个词的首字母组合就是“tbontbtitq”。也有人建议将一组不匹配的词放在一起作为密码。密码越长——专家说,至少为八个字母——就越安全。
选定用作密码的短语后,还可以用特殊符号或数字代替字母,以产生更复杂的密码。还可以将密码中的某个字母大写,比如大写第二个字母,来增加安全系数,这样,“tbontbtitq”就变成了“tBOntbtitq”。
不管一个密码有多好,只使用一个密码也是不安全的。巴雷特建议照他的样子做,对四类不同网站分别设置更强的密码——电子邮件、社交网络、金融机构网站和电子商务网站——并对不常访问和不可靠的网站设置第五个密码。
然而,如果犯罪分子在电脑上安装了所谓的恶意软件,使他们能跟踪电脑使用者的按键情况,那么即使是最强的密码也没用。安全专家说,人们可以随时更新杀毒软件和反间谍软件,避免从未知网站和电子邮件发送方下载文件,以防止发生这种情况。
有些安全专家建议,对于同一类别的不同网站也应稍微修改一下密码。像微软(Microsoft Corp.)这种公司会提供免费密码强度测试,但使用者不应完全依赖它,因为这种强度测试无法测出密码是否包含容易找到的个人信息,例如生日或宠物的名字。
Mozilla公司的斯特恩说,每个电子邮件帐户都使用独立的密码尤其重要。许多网站都有“忘记密码”按钮,当按一下该按钮时,就会通过电子邮件启动找回密码过程。然后,攻入电子邮件帐户的黑客就可以拦截这些电子邮件,控制用该电邮位址注册的每个帐户。
有些网站,例如谷歌和Facebook,现在让人们用手机号码绑定帐户。如果你忘记了密码,网站就会打电话或者发送短信给你来重设密码。
巴雷特说,人们应该记住四、五个好密码。如果记不住,可以把它们写在一张纸上,放到钱包里,然后在记住所有密码后就把备忘单扔掉。
没能记住全部密码的人可以使用密码管理器。有几种密码管理器是免费的,例如LastPass。LastPass鼓励使用者创建一个主密码,然后对不同网站创建并储存随机密码。有些安全专家警告人们不要使用远端储存密码的管理器,但LastPass的首席执行长乔?西格里斯特(Joe Siegrist)说,黑客无法获取这些密码,因为所有数据都是加密的。
人们在创建不同密码后所能做的最糟糕的事是:把它们记在便利贴上,贴在电脑显示幕上。斯特恩说,“这完全背离了设置密码的目的。”
27岁的希瑟?奥尼尔(Heather O'Neill)是三藩市一家科技公司的员工,她的谷歌电子邮件帐户今年早些时候被黑了。她说,她在几个网站用的都是同一个密码,而那个密码强度很弱。
她说,“我不能在哪里都用一个密码。每个密码都应该不一样。”