现在已经很普遍了,我们都想都没想就这么做:创建一个至少有 x 个字符、至少有一个数字和一个符号且不是您的名字或姓氏的密码。无论您是在工作还是在创建Apple ID,这些“强”密码(” password)的密码要求无处不在。
一天在网站(site one)上创建新密码后,我开始思考所有要求的不同之处。有些网站希望密码不短于 3 个字符,有些则强制要求至少 8 个字符。有些需要符号,有些则不需要。有些人关心你的名字和以前的密码,有些人不关心。那么哪个密码真的很强大呢?
当您谈论有人“(someone “)破解”您的密码时,我做了一些研究并发现了两件事:首先,密码的强度,其次,加密的强度,在存储时将密码散列成乱码。
我很快意识到强密码的整个概念是非常数学化的,并且已经对这个主题进行了大量研究。引起我注意并且我将在这篇文章中提到的是来自2011 年卡内基梅隆大学的一项研究(2011 Carnegie-Mellon study)。
首先测试您的密码
在我们了解什么是强密码之前,让我们看看破解您所谓的强密码需要多长时间。为了检查这一点,我们将使用PassFault 站点(PassFault site)上的工具:
https://passfault.appspot.com/password_strength.html
这是它的工作原理。您输入密码并单击(password and click) 分析(Analyze)。它有两个默认隐藏的选项,但您可以单击Show Options。让我们解释一下它们的含义。
破解硬件(Hardware)默认为 900 美元的密码攻击者(password attacker),这对于合法的黑客来说是可能的。他们还可以选择一个价值 180,000 美元的密码攻击者(password attacker),如果价格那么贵,中国人(Chinese)可能会使用它。密码保护(Password Protection)下拉菜单为您提供了一些用于存储密码的加密类型的选项。Microsoft Windows System是最弱的,这不足为奇。然后,您拥有无线 WPA 接入点(Wireless WPA Access Point)、UNIX SHA1、UNIX Blowfish和 100 轮SHA1。
我尝试了我在几个网站上使用的强密码,震惊地发现它可以在 1 天内被破解!
哇(Wow),太糟糕了。因此,我选择了更强的加密选项(Unix Blowfish和 100 轮SHA1),并且更高兴地看到结果需要超过一天的时间:Unix Blowfish需要 1 年零 7 个月,而 100 轮(Unix Blowfish)SHA1需要 2 个月零 2 天. 但是,对于 180,000 美元的密码攻击者(password attacker),它分别下降到 11 天和 3 天。我认为不能接受!即使使用超级昂贵的密码破解器(password cracker),我也希望我的密码需要数年才能破解。但是,自从我使用带有数字和符号的 9 个字符的密码以来,最好的方法是什么?(character password)
是什么让密码强大?
这就是卡内基-梅隆大学的研究(Carnegie-Mellon study)揭示了整个事情的地方。基本上(Basically)他们发现的是,你使用的密码越长,它就越强。这并不一定意味着较长的密码(longer password)必须有很多符号或数字,它只是必须很长。在 16 个字符中,您必须避免使用超级简单的字典单词。
不相信这是可能的?在PassFault 站点(PassFault site)中,使用以下密码,只有 15 个字符,超级好记:
ilovemywifealot
然后,对于选项,选择 180,000 美元的密码攻击者(password attacker)并选择最弱的加密(Microsoft Windows),这就是你得到的:
1个月零7天!这比我的密码在 1 天内被破解要好得多。那么我的密码有什么问题吗?好吧,显然,如果您的密码较短,那么您需要使用更多的符号、随机字母和数字来加强它。如果它更长,比如超过 15 到 16 个字符,那么您不必担心添加各种数字和符号。使用更长的密码,您甚至可以使用更多的字典单词,而且它仍然非常安全。显然,即使是 15 个字符,像hellohellohello这样的密码仍然很糟糕:(hellohellohello)
这很糟糕,因为它会出现在字典中,而且同一个词出现了 3(word three)次。在我向妻子表达我的爱的第一个密码中,这句话很快就开始在计算机看来像胡言乱语,而且没有破解字典(cracking dictionary)将这15 个字符的短语(character phrase)作为单词。字典有字典单词,所以只要你避免直接字典单词,你就可以了。如果我使用我妻子的名字或昵称代替“妻子”这个词,我的密码(My password)可能会更好。明白了吗?
显然,如果你也可以在长密码中加入多个符号,那么密码会变得更加强大。例如,假设我在妻子密码(wife password)前加了一个感叹号(exclamation point),并在末尾添加了一个数字。那么使用相同的选项需要多长时间才能破解:
圣牛(Holy cow)!所以它从 1个月 7(month 7)天变成了惊人的 4 个世纪和 1 个十年!!!是的,世纪!!现在这是一个安全的密码(secure password),记住它并不难。因此,使用这个免费的在线工具(online tool)检查您的密码,如果您的密码在几天后被破解,可能是时候考虑一些新的东西了,特别是对于您的敏感信息,如银行密码等。
请记住(Remember),很多这些在线网站一直被黑客入侵,因此您的密码永远不会安全。但是,如果您使用真正强密码,即使加密非常弱,超级计算机也需要永远破解它!如果您在阅读这篇文章时在网站上尝试了密码,请在评论中告诉我们破解它需要多长时间。享受!
OTT Guide to Creating a Strong Password
It’s so cоmmon now, that we all do it without even thinking aboυt it: create a password that’s at least x characters, has at least one number аnd оne symbol and isn’t your first or last name. Whether you are at work or creating an Apple ID, these password requirements for a “strong” password are everywhere.
After creating a new password on a site one day, I started thinking about how different all the requirements were. Some sites want passwords no shorter than 3 characters and some enforce a minimum of 8. Some want symbols, some don’t. Some care about your name and previous passwords, other don’t. So which password is really strong?
I did some research and found out two things when you are talking about someone “cracking” your password: firstly, there is the strength of your password and secondly, there is the strength of the encryption that hashes the password into gibberish when stored.
I quickly realized that the whole concept of a strong password is very mathematical and there have been numerous studies done on this topic. The one that caught my attention and that I will mention in this post is from a 2011 Carnegie-Mellon study.
Test Your Password First
Before we get into what a strong password is, let’s see how long it would take to crack your supposedly strong password. To check that, we’re going to use a tool on the PassFault site:
https://passfault.appspot.com/password_strength.html
Here’s how it works. You type in your password and click Analyze. It has two options that are hidden by default, but you can click on Show Options. Let’s explain what they mean.
Cracking Hardware defaults to a $900 password attacker, which would be possible for a legitimate hacker. They also have the option to choose a $180,000 password attacker, which the Chinese might be using if it’s that expensive. The Password Protection drop down gives you a few options for the type of encryption used to store the password. Microsoft Windows System is the weakest, no surprise there. You then have Wireless WPA Access Point, UNIX SHA1, UNIX Blowfish, and 100 rounds of SHA1.
I tried my strong password that I use on a couple of sites and was shocked to see that it could be cracked in 1 day!
Wow, that’s pretty bad. So then I chose the stronger encryption options (Unix Blowfish and 100 rounds of SHA1) and was happier to see the results would take longer than a day: 1 years and 7 months for Unix Blowfish and 2 months and 2 days with 100 rounds of SHA1. However, with the $180,000 password attacker, it went down to 11 days and 3 days, respectively. Not acceptable I thought! I want my password to take years to crack even with a super expensive password cracker. But what’s the best way since I am using a 9 character password with numbers and a symbol?
What Makes a Password Strong?
This is where the Carnegie-Mellon study shed some light on the whole thing. Basically what they found is that the longer the password you use, the stronger it is. This doesn’t necessarily mean the longer password has to have a lot of symbols or numbers, it just has to be long. At 16 characters, all you have to avoid is using super easy dictionary words.
Not convinced that’s possible? In the PassFault site, use the following password, which is only 15 characters and super easy to remember:
ilovemywifealot
Then, for the options, choose the $180,000 password attacker and choose the weakest encryption (Microsoft Windows) and this is what you get:
1 month and 7 days! That’s way better than my password being cracked in 1 day. So what’s wrong with my password? Well, apparently, if your password is shorter, then you need to use more symbols, random letters, and numbers to strengthen it. If it’s longer, like over 15 to 16 characters, then you don’t have to worry about adding all kinds of numbers and symbols. With a longer password, you can even use more dictionary words and it’ll still be very secure. Obviously a password like hellohellohello would still suck even though it’s 15 characters:
It sucks because it’s going to be in the dictionary and it’s the same word three times. In my first password where I profess my love to my wife, the sentence quickly starts looking like gibberish to a computer and no cracking dictionary has that 15 character phrase as a word. Dictionaries have dictionary words so as long as you avoid straight dictionary words, you’ll be good to go. My password could have been even better if I used my wife’s name or a nickname for her instead of the word “wife”. Get the idea?
Obviously, if you can throw in a number of symbol into a long password too, then the password becomes even more ridiculously strong. For example, let’s say I put an exclamation point in front of my wife password and added one number to the end. Then how long would it take to crack with the same options:
Holy cow! So it went from 1 month 7 days to a whopping 4 centuries and 1 decade!!! Yeah centuries!! Now that’s a secure password and it’s not very hard to remember. So check your password using this free online tool and if your password is getting cracked in a few days time, it might be time to think of something new, especially for your sensitive information like banking passwords, etc.
Remember, a lot of these online sites get hacked all the time, so your password is never safe. However, if you use a truly strong password, even if the encryption is very weak, it would take forever for a super computer to crack it! If you tried your password on the site while reading this post, let us know in the comments how long it would take to crack it. Enjoy!