只不过这张图片配得比较有意思.原题目是”Diving Into Password”,副标题是”STRONG PASSWORD”.
Without meaning to do it, hackers recently gave us some information about what kinds of passwords people are using on the Web these days. The hackers had tricked users of the MySpace online service into visiting fake Web pages, where they were asked to log in. Their usernames and passwords were then forwarded to other locations on the Internet where they were stored for later collection by the attackers.
When the scam was detected, some of the collection files were recovered by security expert Roger A. Grimes, who looked at the passwords and wrote about them at a technology news Web site.
Grimes looked at 34,000 passwords, wondering how many people had chosen a strong, hard-to-guess password. There are several factors that make a password strong, but one of the first ones you need to worry about is password length. If you choose a password that’s short—maybe only two or three characters—it’s just too easy to guess it.
About half of the passwords were seven or more characters in length, where eight characters is generally what’s recommended as a minimum password length. The length of your password is important. Let’s say a criminal decides to run your password through a special piece of software called a password recovery tool, expressly designed to guess repeatedly at passwords. These tools try every possible combination of characters (upper and lower case), numbers, and common punctuation marks. With only four characters in your password, there are some 85 million combinations of these characters. This might sound like a lot, but according to one expert estimate, a hacker with even a fairly slow PC can guess a password within three hours. On the fastest processors available in the general market today, it’s a matter of seconds.
Bump the password length up to eight characters, however, and even that fast computer will require 23 years to guess the password by trying all the combinations.
It only takes a long time to crack a password, though, if the password is made up of random characters. Unfortunately, many passwords are a lot more guessable than that. In the 34,000 MySpace passwords, 75 of them were “password1.” However, only four percent of the overall passwords were words you could find in a dictionary—you should never use a word found in the dictionary for a password, nor should you use names. That said, a fair number were dictionary words with a number tacked on the end, such as “myspace1” (there were a couple dozen of these).
So how should you pick a strong password? First off, you should know that password recovery tools don’t make their guesses randomly, but rather by trying the sorts of passwords that people tend to use. And what people tend to use, even when they are smart enough to avoid dictionary words and to add numbers, is something pronounceable with a number tacked on to the end, something like “snel2001.” A combination like that is a lot more guessable than you’d think when attacked by a password recovery tool.
To create a password that’s hard to guess, you need to create a password that isn’t on the lists that a recovery tool starts with. There should be numbers in the middle of it and it should, on systems that allow it, be a mixture of upper and lower case letters throughout the password. If you use several passwords (and most of us do), it’s OK to use a common root for all your passwords, but the root should be something that you couldn’t ordinarily pronounce (try the first letter of each word in a short sentence, but not something that’s a common abbreviation) and whatever you use to change the root should be done in the middle of the password. You might want two short roots, three characters each, with two changeable characters in the middle.
Passwords like this tend to be hard to guess, but they can also tend to be hard to remember. An example of a password system that is fairly strong but fairly easy to remember is to use a phrase such as “I’m not here for the cat,” taking only the first letter of each word. This gives you “inhftc,” which you can split in half, capitalizing the middle letter of each half: “iNh fTc.” To determine the two numbers for the middle, you can count the number of letters in the primary name of the system that this password will gain access to. If it’s a Web site, use the mail word for the site name, the part before the .com. For example, in “baldhaircuts.com” the two digits will be 12—the number of letters in “baldhaircuts”. If the system or Web name letters add up to only a one-digit number, just tack on the next number in sequence. For example, since “Oracle” yields the number 6, the second digit will be 7, giving you a “67” and a full password of “iNh67fTc”. With any luck, that’s a 23-year password that you’ll remember for just as long.