For all its benefits, the Internet can be a hassle when it comes to remembering passwords for email, banking, social networking and shopping.
Many people use just a single password across the Web. That's a bad idea, say online-security experts.
'Having the same password for everything is like having the same key for your house, your car, your gym locker, your office,' says Michael Barrett, chief information-security officer for online-payments service PayPal, a unit of eBay Inc.
Mr. Barrett has different passwords for his email and Facebook accounts─and that's just for starters. He has a third password for financial websites he uses, such as for banks and credit cards, and a fourth for major shopping sites such as Amazon.com. He created a fifth password for websites he visits infrequently or doesn't trust, such as blogs and an online store that sells gardening tools.
A spate of recent attacks underscores how hackers are spending more time trying to crack into big databases to obtain passwords, security officials say. In April, for instance, hackers obtained passwords and other information of 77 million users in Sony Corp.'s PlayStation Network, while Google Inc. said this month that hackers broke into its email system and gained passwords of U.S. government officials.
So-called brute force attacks, by which hackers try to guess individual passwords, also appear to be on the rise, Mr. Barrett says.
PayPal says two out of three people use just one or two passwords across all sites, with Web users averaging 25 online accounts. A 2009 survey in the U.K. by security-software company PC Tools found men to be particularly bad offenders, with 47% using just one password, compared with 26% of women.
Another PC Tools survey last year showed that 28% of young Australians from 18 to 38 years old had passwords that were easily guessed, such as a name of a loved one or pet, which criminals can easily find on Facebook or other public sites. Other passwords can be easily guessed, too. Hackers last year posted a list of the most popular passwords of Gawker Media users, including 'password,' '123456,' 'qwerty,' 'letmein' and 'baseball.'
'If your password is on that list, please change it,' says Brandon Sterne, security manager at Mozilla Corp., which makes the Firefox browser and other software. Hackers 'will take the first 100 passwords on the list and go through the entire user base' of a website to crack a few accounts, he says.
People typically start changing online passwords after they've been hacked, says Dave Cole, general manager of PC Tools. However, 'after a relatively short time, all but the most paranoid users regress to previous behaviors prior to the security breach,' he says. He and other security experts recommend people change or rotate passwords a few times a year.
To come up with a strong password, some security officials recommend taking a memorable phrase and using the first letter of each word. For example, 'to be or not to be, that is the question,' becomes 'tbontbtitq.' Others mash an unlikely pair of words together. The longer the password─at least eight characters, experts say─the safer it is.
Once people figure out a phrase for their password, they can make it more complex by replacing letters with special characters or numbers. They can also capitalize, say, the second character of every password for added security. Hence 'tbontbtitq' becomes 'tB0ntbtitq.'
No matter how good a password is, it is unsafe to use just one. Mr. Barrett recommends following his lead and having strong ones for four different kinds of sites─email, social networks, financial institutions and e-commerce sites─and a fifth for infrequently visited or untrustworthy sites.
Even the strongest passwords, however, are useless if criminals install so-called malware on computers that allow them to track a person's keystrokes. Security experts say people can avoid this by keeping their antivirus and antispyware software updated and by avoiding downloading files from unknown websites and email senders.
Some security experts recommend slightly modifying passwords within each category of site. Companies such as Microsoft Corp. offer free password-strength checkers, but users shouldn't rely on them wholly because such strength tests don't gauge whether a password contains easily found personal information, such as a birthday or a pet's name.
It's especially important to have a separate password for an email account, says Mozilla's Mr. Sterne. Many sites have 'Forgot my password' buttons that, when clicked, initiate a password-recovery process by email. Hackers who break into an email account can then intercept those emails and take control of each account registered using that address.
Some websites, such as Google and Facebook, now let people register a phone number along with their account. If a person forgets his passwords, the sites reset the passwords by calling or sending a text message to that person.
Mr. Barrett says people should be able to remember four or five good passwords. If not, they can write them down on a piece of paper and stick it in their wallet, and then throw the cheat sheet away once all the passwords are memorized.
People who still struggle to remember them all can use a password manager. Several, such as LastPass, are free. LastPass prompts users to create a master password and then generates and stores random passwords for different sites. Some security experts warn against using managers that store passwords remotely, but LastPass Chief Executive Joe Siegrist says hackers can't access the passwords because all data is encrypted.
The worst thing that people can do after creating their different passwords: Put it on a sticky note by their monitor. 'That defeats the entire purpose,' says Mr. Sterne.
Heather O'Neill, a 27-year-old tech-company employee in San Francisco, had her Google email account broken into earlier this year. She says she used the same password for several sites, and that it was a weak one.
'I can't have one password for everything,' she says. 'Everything is going to be different.'
參考譯文:
盡管互聯(lián)網(wǎng)有種種優(yōu)點,但記憶電子郵件、網(wǎng)上銀行、社交網(wǎng)絡和購物網(wǎng)站的密碼卻讓人頭疼。
許多人上網(wǎng)時只使用一個密碼。網(wǎng)絡安全專家說,這是個壞習慣。
線上支付服務公司PayPal(eBay的子公司)的首席信息安全長邁克爾•巴雷特(Michael Barrett)說,“所有地方都用同一個密碼,就好比給你的房子、車子、健身房更衣室和辦公室配同一把鑰匙。”
巴雷特的電子郵件和Facebook帳戶用的是不同的密碼——這僅僅是開始。他的第三個密碼用于金融網(wǎng)站——比如銀行和信用卡的密碼,第四個密碼用于主要的購物網(wǎng)站,例如亞馬遜(Amazon.com)。他還為自己不常訪問或不信任的網(wǎng)站設置了第五個密碼,例如博客和出售園藝工具的線上商店。
安全專家稱,最近接連發(fā)生的網(wǎng)絡攻擊表明黑客正在花更多時間攻入大型數(shù)據(jù)庫以獲取密碼。例如,今年4月,黑客獲得了索尼公司(Sony Corp.)PlayStation Network的7,700萬使用者的密碼及其他信息。6月,谷歌公司(Google Inc.)表示,黑客攻入了該公司的電子郵件系統(tǒng),并獲得了美國政府官員的密碼。
巴雷特說,所謂的暴力破解攻擊,即黑客試圖猜出個人密碼的行為,似乎也正在增加。
PayPal稱,每三個人中,就有兩個人在所有網(wǎng)站上只用一、兩個密碼,而網(wǎng)絡使用者人均擁有25個網(wǎng)絡帳戶。安全軟件公司PC Tools 2009年在英國進行的一項調查發(fā)現(xiàn),男性在這方面做得尤其糟糕,47%的男性只用一個密碼,相比之下,只用一個密碼的女性比例為26%。
去年PC Tools做的另一項調查顯示,在18歲至38歲的澳大利亞年輕人中,28%的人擁有的密碼很容易被猜中,例如愛人或寵物的名字,而犯罪分子可以很容易地從Facebook或其他公共網(wǎng)站上獲得這種信息。還有些密碼也很容易猜中。去年,黑客們發(fā)貼公布了一份Gawker Media使用者最常用的密碼名單,包括“password”(密碼)、“123456”、“qwerty”、“letmein”(讓我進去)和“baseball”(棒球)。
Mozilla Corp.的安全經(jīng)理布蘭登•斯特恩(Brandon Sterne)說,“如果你的密碼在這張名單上,請盡快更改。”該公司的產(chǎn)品包括火狐(Firefox)流覽器和其他軟件。他說,黑客“會使用名單上的前100個密碼攻擊網(wǎng)站上的所有使用者數(shù)據(jù)庫”,以攻破一部分帳戶。
PC Tools的總經(jīng)理戴夫•科爾(Dave Cole)說,人們通常會在受到黑客攻擊后開始更改網(wǎng)絡密碼。然而,他說,“在短時間后,除了最謹慎多疑的使用者以外,所有使用者都會回歸到被黑之前的行為。”他和其他安全專家建議人們每年更改或輪換幾次密碼。
要想設置出強大的密碼,有些安全專家建議,可以先選擇一個好記的短語,然后用這個短語中每個詞的首字母作為密碼。比如,選擇“to be or not to be, that is the question”,每個詞的首字母組合就是“tbontbtitq”。也有人建議將一組不匹配的詞放在一起作為密碼。密碼越長——專家說,至少為八個字母——就越安全。
選定用作密碼的短語后,還可以用特殊符號或數(shù)字代替字母,以產(chǎn)生更復雜的密碼。還可以將密碼中的某個字母大寫,比如大寫第二個字母,來增加安全系數(shù),這樣,“tbontbtitq”就變成了“tBOntbtitq”。
不管一個密碼有多好,只使用一個密碼也是不安全的。巴雷特建議照他的樣子做,對四類不同網(wǎng)站分別設置更強的密碼——電子郵件、社交網(wǎng)絡、金融機構網(wǎng)站和電子商務網(wǎng)站——并對不常訪問和不可靠的網(wǎng)站設置第五個密碼。
然而,如果犯罪分子在電腦上安裝了所謂的惡意軟件,使他們能跟蹤電腦使用者的按鍵情況,那么即使是最強的密碼也沒用。安全專家說,人們可以隨時更新殺毒軟件和反間諜軟件,避免從未知網(wǎng)站和電子郵件發(fā)送方下載文件,以防止發(fā)生這種情況。
有些安全專家建議,對于同一類別的不同網(wǎng)站也應稍微修改一下密碼。像微軟(Microsoft Corp.)這種公司會提供免費密碼強度測試,但使用者不應完全依賴它,因為這種強度測試無法測出密碼是否包含容易找到的個人信息,例如生日或寵物的名字。
Mozilla公司的斯特恩說,每個電子郵件帳戶都使用獨立的密碼尤其重要。許多網(wǎng)站都有“忘記密碼”按鈕,當按一下該按鈕時,就會通過電子郵件啟動找回密碼過程。然后,攻入電子郵件帳戶的黑客就可以攔截這些電子郵件,控制用該電郵位址注冊的每個帳戶。
有些網(wǎng)站,例如谷歌和Facebook,現(xiàn)在讓人們用手機號碼綁定帳戶。如果你忘記了密碼,網(wǎng)站就會打電話或者發(fā)送短信給你來重設密碼。
巴雷特說,人們應該記住四、五個好密碼。如果記不住,可以把它們寫在一張紙上,放到錢包里,然后在記住所有密碼后就把備忘單扔掉。
沒能記住全部密碼的人可以使用密碼管理器。有幾種密碼管理器是免費的,例如LastPass。LastPass鼓勵使用者創(chuàng)建一個主密碼,然后對不同網(wǎng)站創(chuàng)建并儲存隨機密碼。有些安全專家警告人們不要使用遠端儲存密碼的管理器,但LastPass的首席執(zhí)行長喬•西格里斯特(Joe Siegrist)說,黑客無法獲取這些密碼,因為所有數(shù)據(jù)都是加密的。
人們在創(chuàng)建不同密碼后所能做的最糟糕的事是:把它們記在便利貼上,貼在電腦顯示幕上。斯特恩說,“這完全背離了設置密碼的目的。”
27歲的希瑟•奧尼爾(Heather O'Neill)是三藩市一家科技公司的員工,她的谷歌電子郵件帳戶今年早些時候被黑了。她說,她在幾個網(wǎng)站用的都是同一個密碼,而那個密碼強度很弱。
她說,“我不能在哪里都用一個密碼。每個密碼都應該不一樣。”