骇死骇客的密码
开始撰写网络安全的文章之后不久,我就变成了一个可笑的偏执狂。每天,骇客们不停地提醒我,偷窃我的个人资料简直不废吹灰之力,闹得我心神不宁。
Not long after I began writing about cybersecurity, I became a paranoid caricature of my former self. It’s hard to maintain peace of mind when hackers remind me every day, all day, just how easy it is to steal my personal data.
没过几周,我就把所有的网页都设上独一无二的复杂密码,电子邮件账户启用两步验证,甚至用不透明胶带把电脑的网络摄像头盖住——这一预防措施遭到朋友和同事的调侃,他们建议我该去作个心理检查。
Within weeks, I set up unique, complex passwords for every Web site, enabled two-step authentication for my e-mail accounts, and even covered up my computer’s Web camera with a piece of masking tape — a precaution that invited ridicule from friends and co-workers who suggested it was time to get my head checked.
但最近的几件事说明我做得没错。一个朋友说服我撕掉了盖住网络摄像头的胶带——他说这么做有点过于谨小慎微了——结果几天后我发现指示灯变绿了,说明有人进入了我的电脑在偷窥。最近,我收到一条谷歌发来的短信,是我的Gmail帐户的第二步验证码。就是你首次输入正确的Gmail帐户密码后,谷歌发送的作为二次密码的一串数字。(一定要注册这个哟。)唯一的问题是,我压根儿就没有在登录我的Gmail帐户。我根本没在计算机旁。显然是别人在试图登录我的帐户。
But recent episodes offered vindication. I removed the webcam tape — after a friend convinced me that it was a little much — only to see its light turn green a few days later, suggesting someone was in my computer and watching. More recently, I received a text message from Google with the two-step verification code for my Gmail account. That’s the string of numbers Google sends after you correctly enter the password to your Gmail account, and it serves as a second password. (Do sign up for it.) The only problem was that I was not trying to get into my Gmail account. I was nowhere near a computer. Apparently, somebody else was.
骇客攻击你很容易,易如反掌。只要点击了一个恶意链接或者附件,就会遭到攻击。公司的电脑系统每天都会被骇客攻击,他们搜寻密码,拿到类似拍卖网站的黑市网站上出售,一条密码在那里可以卖到20美元。骇客经常利用诸如开膛手约翰(John the Ripper)之类的免费密码破解程序,这种程序运用被破解的网站上常用的密码列表,每秒可以尝试数百万个密码。
It is absurdly easy to get hacked. All it takes is clicking on one malicious link or attachment. Companies’ computer systems are attacked every day by hackers looking for passwords to sell on auctionlike black market sites where a single password can fetch $20. Hackers regularly exploit tools like John the Ripper, a free password-cracking program that use lists of commonly used passwords from breached sites and can test millions of passwords per second.
大多数人一生中某个时候都可能会遭到骇客攻击。他们最好的办法不过是推迟这不可避免的攻击,办法就是不要打开可疑的链接,就算是朋友发来的,并且管理好自己的密码。不幸的是,良好的密码设置习惯就像是用牙线剔牙——你知道它重要,但需要付出努力。你怎么可能为每一个新闻网站、社交网站、电子商务网站、银行网站、企业网站和e-mail帐户想出各不相同又难于破解的密码,同时还一个不漏地都记得住呢?
It is absurdly easy to get hacked. All it takes is clicking on one malicious link or attachment. Companies’ computer systems are attacked every day by hackers looking for passwords to sell on auctionlike black market sites where a single password can fetch $20. Hackers regularly exploit tools like John the Ripper, a free password-cracking program that use lists of commonly used passwords from breached sites and can test millions of passwords per second.
为了解决这个问题,我给两个我认识的最偏执(一点不假)的人打了电话,耶利米·格罗斯曼(Jeremiah Grossman)和保罗·科克(Paul Kocher),看看他们如何保证自己信息的安全。格罗斯曼先生是第一个公开如何轻松通过Web浏览器控制一台电脑的摄像头和麦克风的骇客。他现在供职于一家互联网和网络安全公司WhiteHatSecurity,是公司的首席技术官,经常成为网络犯罪分子的目标。科克先生是著名的密码学家,以巧妙攻击安全系统而闻名。他现在经营一家名叫Cryptography Research的安全公司,专营强化系统抵御骇客的性能。以下是他们的秘诀:
To answer that question, I called two of the most (justifiably) paranoid people I know, Jeremiah Grossman and Paul Kocher, to find out how they keep their information safe. Mr. Grossman was the first hacker to demonstrate how easily somebody can break into a computer’s webcam and microphone through a Web browser. He is now chief technology officer at WhiteHat Security, an Internet and network security firm, where he is frequently targeted by cybercriminals. Mr. Kocher, a well-known cryptographer, gained notice for clever hacks on security systems. He now runs Cryptography Research, a security firm that specializes in keeping systems hacker-resistant. Here were their tips:
不要借助字典。如果您的密码可以在字典中查到,那还不如不要密码。科克先生说:“最糟糕的密码就是字典中的单词,或者给字典中能查到的单词插入一些符号,或做些修改。”骇客们往往会根据字典来测试密码,或者修正拼法。如果您的密码不是这一类,骇客通常会走开。
FORGET THE DICTIONARY If your password can be found in a dictionary, you might as well not have one. “The worst passwords are dictionary words or a small number of insertions or changes to words that are in the dictionary,” said Mr. Kocher. Hackers will often test passwords from a dictionary or aggregated from breaches. If your password is not in that set, hackers will typically move on.
千万不要重复使用相同的密码。人们往往会在多个网站使用相同的密码,骇客们经常会利用这一点。虽然在LinkedIn网站上的职业档案被破解大概不会有什么严重的后果,不过骇客会利用这个密码破解诸如电子邮箱、银行或经纪帐户,那里面可存储着更有价值的财务信息和个人数据。
NEVER USE THE SAME PASSWORD TWICE People tend to use the same password across multiple sites, a fact hackers regularly exploit. While cracking into someone’s professional profile on LinkedIn might not have dire consequences, hackers will use that password to crack into, say, someone’s e-mail, bank, or brokerage account where more valuable financial and personal data is stored.
设置口令。密码越长,破解的时间就越长。如果你不想骇客在24小时之内就能破解的话,理想的密码应该设成14个字符或更长。由于长密码难于记忆,可以考虑用口令,比如喜欢的电影台词、歌词或一首诗,只用句子中每个单词的第一个或前两个字母串在一起。
COME UP WITH A PASSPHRASE The longer your password, the longer it will take to crack. A password should ideally be 14 characters or more in length if you want to make it uncrackable by an attacker in less than 24 hours. Because longer passwords tend to be harder to remember, consider a passphrase, such as a favorite movie quote, song lyric, or poem, and string together only the first one or two letters of each word in the sentence.
要不就乱敲键盘。对于敏感账户,格罗斯曼先生说他不用口令,而是随机乱敲键盘,间歇性敲击Shift和Alt键,然后将结果复制到一个文本文件,把这个文件存入一个加密的、有密码保护的U盘里。“这样一来,如果有人用枪指着我的头,要我说出密码,我只能说我不知道。”
OR JUST JAM ON YOUR KEYBOARD For sensitive accounts, Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. “That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don’t know it.”
保管好你的密码。不要将密码存放在收件箱或桌面上。如果计算机感染了恶意软件,你就死定了。格罗斯曼先生将他的密码文件存入加密的U盘,记住U盘的密码,这个密码很长、很复杂。他使用帐户时把这些密码复制并粘贴过去,所以就算骇客在他的电脑上安装了键盘记录软件,也无法记录到他的密码。科克先生用了个比较老套的办法:他把密码提示保存在他钱包里的一张纸上,不是实际的密码。科克先生说:“我尽量把我最敏感的信息和互联网彻底隔绝开。”
STORE YOUR PASSWORDS SECURELY Do not store your passwords in your in-box or on your desktop. If malware infects your computer, you’re toast. Mr. Grossman stores his password file on an encrypted USB drive for which he has a long, complex password that he has memorized. He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password. Mr. Kocher takes a more old-fashioned approach: He keeps password hints, not the actual passwords, on a scrap of paper in his wallet. “I try to keep my most sensitive information off the Internet completely,” Mr. Kocher said.
密码管理器?也许吧。密码保护软件可以让你把所有的用户名和密码存储在同一个地方。甚至你只要提供一个主密码,有些程序就会为你创建强大的密码,并自动登录你的网站。LastPass、SplashData和AgileBits都为Windows、Macs和移动设备的密码管理提供软件。但是你别忘了:科克先生说他根本不用这种软件,因为即使加了密,它仍然驻留在计算机里。“如果有人偷走电脑,我就等于丢失了密码。”格罗斯曼先生说他不信任这种软件,因为不是他写的。事实上,今年初在阿姆斯特丹举行的一次安全会议上,骇客们就演示了如何轻松地破解许多流行手机密码管理器的加密技术。
A PASSWORD MANAGER? MAYBE Password-protection software lets you store all your usernames and passwords in one place. Some programs will even create strong passwords for you and automatically log you in to sites as long as you provide one master password. LastPass, SplashData and AgileBits offer password management software for Windows, Macs and mobile devices. But consider yourself warned: Mr. Kocher said he did not use the software because even with encryption, it still lived on the computer itself. “If someone steals my computer, I’ve lost my passwords.” Mr. Grossman said he did not trust the software because he didn’t write it. Indeed, at a security conference in Amsterdam earlier this year, hackers demonstrated how easily the cryptography used by many popular mobile password managers could be cracked.
安全问题要答非所问。诸如“你最喜欢的颜色是什么?”之类的问题的答案是有限的,而诸如“你的中学是哪所?”等大多数问题的答案都可以在互联网上找到。骇客们利用这些信息来重新设置密码,从而控制你的帐户。今年初,一名骇客声称,他用米特·罗姆尼(Mitt Romney)最喜欢的宠物的名字成功地进入了其Hotmail和Dropbox的帐户。比较安全的办法是密码提示和问题本身无关。例如,如果安全问题问你出生的医院名称,你的回答可以是:“你最喜欢的歌词。”
IGNORE SECURITY QUESTIONS There is a limited set of answers to questions like “What is your favorite color?” and most answers to questions like “What middle school did you attend?” can be found on the Internet. Hackers use that information to reset your password and take control of your account. Earlier this year, a hacker claimed he was able to crack into Mitt Romney’s Hotmail and Dropbox accounts using the name of his favorite pet. A better approach would be to enter a password hint that has nothing to do with the question itself. For example, if the security question asks for the name of the hospital in which you were born, your answer might be: “Your favorite song lyric.”
使用不同的浏览器。格罗斯曼先生强调不同的事情要用不同的Web浏览器。“选择一个浏览器浏览你认为不重要的‘杂事’:网上论坛、新闻网站、博客等,”他说。“如果你登录网上银行或收发电子邮件,启动第二个Web浏览器,完事就将其关闭。”这样一来,如果不小心进入X级网站,浏览器被感染,你的银行帐户就不一定受到损害。至于何种活动用何种浏览器,Accuvant Labs去年研究了包括Mozilla Firefox、谷歌的Chrome和微软的Internet
Explorer,发现Chrome最不容易受到攻击。
USE DIFFERENT BROWSERS Mr. Grossman makes a point of using different Web browsers for different activities. “Pick one browser for ‘promiscuous’ browsing: online forums, news sites, blogs — anything you don’t consider important,” he said. “When you’re online banking or checking e-mail, fire up a secondary Web browser, then shut it down.” That way, if your browser catches an infection when you accidentally stumble on an X-rated site, your bank account is not necessarily compromised. As for which browser to use for which activities, a study last year by Accuvant Labs of Web browsers — including Mozilla Firefox, Google Chrome and Microsoft Internet Explorer — found that Chrome was the least susceptible to attacks.
分享要谨慎。科克先生强调说:“你的电子邮件地址和密码就等于是你自己。”只要有可能,他都不用他的真实E-mail地址注册网上帐户。相反,他用“一次性”e-mail地址,如10minutemail.com提供的地址。用户注册、确认在线账户,10分钟后它就自我销户。格罗斯曼先生说,他经常警告人们,要把输入或在线共享的任何东西都看作公开记录。
SHARE CAUTIOUSLY “You are your e-mail address and your password,” Mr. Kocher emphasized. Whenever possible, he will not register for online accounts using his real e-mail address. Instead he will use “throwaway” e-mail addresses, like those offered by10 minutemail.com. Users register and confirm an online account, which self-destructs 10 minutes later. Mr. Grossman said he often warned people to treat anything they typed or shared online as public record.
“你迟早会被骇客攻击——这只是个时间问题,”格罗斯曼先生警告说。“如果害怕,就不要放到网上。”
“At some point, you will get hacked — it’s only a matter of time,” warned Mr. Grossman. “If that’s unacceptable to you, don’t put it online.”
纽约时报
2012-11-13
纽约时报
578次
点赞(0)
收藏
登录
