Passage 3 How to Choose a Good Password? 124
如何选择好密码？ 《卫报》

[00:00]The best way to explain how to choose a good password
[00:04]is to describe how they're broken.
[00:07]The most serious attack is called offline password guessing.
[00:13]There are commercial programs that do this,
[00:16]sold primarily to police departments.
[00:20]There are also hacker tools that do the same thing.
[00:24]As computers have become faster, the guessers have got better,
[00:29]sometimes being able to test hundreds of thousands of passwords per second.
[00:35]They guess intelligently.
[00:37]They don't run through every eight-letter combination
[00:41]from "aaaaaaaa" to "zzzzzzzz" in order. That's 200bn possible passwords,
[00:50]most of them very unlikely. They try the most common password first:
[00:57]"password1". Actually, the most common password used to be "password".
[01:05]A typical password consists of a root plus an appendage.
[01:10]The root isn't necessarily a dictionary word, but it's something pronounceable.
[01:16]An appendage is either a suffix (90% of the time) or a prefix (10% of the time).
[01:25]One guesser I studied starts with a dictionary of about 1,000 common passwords,
[01:31]things like "letmein," "temp," "123456," and so on.
[01:39]Then it tests them each with about 100 common suffix appendages:
[01:46] "1", "4u", "69", "abc", "!" and so on.
[01:55]It recovers about 24% of all passwords with just these 100,000 combinations.
[02:03]Then the guesser tries different dictionaries: English words, names,
[02:10]foreign words, phonetic patterns and so on for roots; two digits, dates,
[02:19]single symbols and so on for appendages.
[02:22]It runs the dictionaries with various capitalizations
[02:26]and common substitutions: "$" for "s", "@" for "a", "1" for "l" and so on.
[02:37]With a couple of weeks to a month's worth of time,
[02:41]this guessing strategy breaks about two-thirds of all passwords.
[02:46]But that assumes no biographical data.
[02:49]Any smart guesser collects whatever personal information
[02:53]it can on the subject before beginning. Postal codes are common appendages,
[03:00]so they're tested.
[03:02]It also tests names and addresses from the address book, meaningful dates,
[03:09]and any other personal information.
[03:12]If it can, the guesser indexes the target hard drive
[03:16]and creates a dictionary out of every printable string,
[03:21]including deleted files. If you ever kept an email with your password,
[03:26]or saved it in an obscure file somewhere,
[03:30]or if your program ever stored it in memory, this process will grab it.
[03:35]And it will recover your password faster.
[03:39]So if you want your password to be hard to guess,
[03:42]you should choose something that this process will miss.
[03:46]My advice is to take a sentence and turn it into a password.
[03:51]Something like "This little piggy went to market" might become "tlpWENT2m".
[04:01]That nine-character password won't be in anyone's dictionary.
[04:06]Strong passwords can still fail because people are sloppy.
[04:12]They write them on Post-it notes stuck to their monitors,
[04:15]share them with friends, or choose the same passwords for multiple applications.
[04:21]If you can't remember your passwords,
[04:24]write them down and put the paper in your wallet. But just write the sentence
[04:30]or better yet - a hint that will help you remember your sentence.