---

※ 本文轉錄自 FW 看板

---

---

※ [本文轉錄自 AAAAAAAA 看板]

---

※ [本文轉錄自 freeman 看板]

http://0rz.tw/4bmy5

Passwords aplenty
密碼落落長

Dec 18th 2009 | LOS ANGELES
>From Economist.com

How to stay sane as well as safe while surfing the web
如何無憂無慮地上網

AT THIS time of the year, your correspondent crosses the Pacific to Japan for
a month or so. He repeats the trip during the summer. He considers it crucial
in order to keep abreast of all the ingenious technology which, once debugged
by the world’s most acquisitive consumers, will wind up in American and
European shops a year or two later.

每逢此季節，筆者便會橫跨太平洋，到日本待上一個月左右，而夏天亦是如此。這是因為
筆者必須跟上各式各樣的創新科技，經過全世界最挑剔的一群顧客測試後，這些科技產品
過一兩年就會在美歐各商店中上架。

Each time he packs his bags, though, he is embarrassed by having to include a
dog-eared set of notes that really ought to be locked up in a safe. This is
his list of logons and passwords for all the websites he uses for doing
business and staying in touch with the rest of the world. At the last count,
the inch-thick list accumulated over the past decade or so—your correspondent
’s sole copy—includes access details for no fewer than 174 online services
and computer networks.

每次他打包行李時都有點難為情，因為他得隨身攜帶一本應該鎖在保險櫃裡的破爛冊子。
這本冊子是他用來記錄他所有網站的帳號密碼，網站包含公私之用。十多年來，筆者累積
了這份唯一的清單，且厚達好幾公分，裡面有超過一百七十四個網站的帳號密碼。

He admits to flouting the advice of security experts: his failings include
using essentially the same logon and password for many similar sites, relying
on easily remembered words—and, heaven forbid, writing them down on scraps
of paper. So his new year’s resolution is to set up a proper software vault
for the various passwords and ditch the dog-eared list.

他坦承安全專家的建議中看不中用：因為如此一來他就無法用重複、好記的帳號密碼來登
錄網站，而且把它們抄寫在小紙張上更是大忌。他的新年新希望自然就是找到適當的軟體
來存放這些資料，然後把破爛的冊子給丟了。

Your correspondent’s one consolation is that he is not alone in using easily
crackable words for most of his passwords. Indeed, the majority of online
users have an understandable aversion to strong, but hard-to-remember,
passwords. The most popular passwords in Britain are “123” followed by “
password”. At least people in America have learned to combine letters and
numbers. Their most popular ones are “password1” followed by “abc123”.

唯一能安慰他的就是，他不是唯一一個使用簡單密碼的人。大部分的網友的確都很討厭強
度高但卻難記誦的密碼。英國人最常用的密碼就是「123」加「password」。美國人就好
一點，他們還懂得交雜字母與數字，最廣為使用的是「password1」加「abc123」。

Unfortunately, the easier a password is to remember, the easier it is for
thieves to guess. Ironically, the opposite—the harder it is to remember, the
harder it is to crack—is often far from true. That is because, not being
able to remember long, jumbled sets of alphanumeric characters interspersed
with symbols, people resort to writing them down on Post-it notes left lying
around the office or home for all and sundry to see.

越簡單的密碼就越容易猜中，但是越難記的密碼卻不一定越難破解。因為記不住冗長複雜
的密碼，所以我們就會把它們寫在便利貼上，而貼在辦公室或住家裡的便利貼通常都不設
防，每個人都看得見。

Apart from stealing passwords from Post-it notes and the like, intruders
basically use one of two hacks to gain access to other people’s computers or
networks. If time and money is no problem, they can use brute-force methods
that simply try every combination of letters, numbers and symbols until a
match is found. That takes a lot of patience and computing power, and tends
to be the sort of thing only intelligence agencies indulge in.

駭客除了從便利貼及筆記上竊取密碼外，他們也用以下其中一種方式來破解你的密碼。如
果時間與金錢夠的話，他們就會用暴力來破解，即把所有字母、數字與符號的組合都跑過
一遍。但這需要相當多的耐心與強大的電腦運算能力，通常也只有情治單位會使用這種方
法。

A more popular, though less effective, way is to use commercial software
tools such as “L0phtCrack” or “John the Ripper” that can be found on the
internet. These use dictionaries, lists of popular passwords and rainbow
tables (lookup tools that turn long numbers computed from alphanumeric
characters back into their original plain text) to recover passwords.

另一個比較有效率與廣受歡迎的方法則是用網路上的商業軟體「L0phtCrack」及
「John the Ripper」來破解。這兩種軟體使用字典、常用密碼表及彩虹資料結構表(註)
來破解密碼。

註:一種預存資料表，用預先計算的方式產出一些值，再利用這些值來破解運算

According to Bruce Schneier, an independent security expert, today’s
password crackers “can test tens—even hundreds—of millions of passwords
per second.” In short, the vast majority of passwords used in the real world
can be guessed in minutes. And do not think you are being smart by replacing
the letters “l” or “i” in a password with the number “1”; or the letter
“s” with the number “5” or the symbol “$”. Cracking programs check all
such alternatives, and more, as a matter of course.

自營的安全專家Bruce Schneier表示，現今的密碼破解軟體一秒就能跑「幾千萬甚至幾億
組密碼」。簡而言之，當今的密碼大多能在幾分鐘內就破解出來。別以為你拿字母l或i來
代替數字1就很聰明；而用字母s來代替數字5或是符號$也沒好到那去。破解軟體一定會試
過這些相似的替換字符。

What should you do to protect yourself? Chose passwords that are strong
enough to make cracking them too time consuming for thie ves to bother.

那我們該如何自保呢？答案就是選用強度大到連駭客都懶得去破解的密碼。

The strength of a password depends on its length, complexity and randomness.
A good length is at least eight symbols. The complexity depends on the
character set. Using numbers alone limits the choice to just ten symbols. Add
upper- and lower-case letters and the complexity rises to 62. Use all the
symbols on a standard ASCII keyboard and you have 95 to choose from.

密碼的強度取決於其長度、複雜及隨機。密碼的長度以八個字元以上為宜。複雜則是要看
字的編組。單一字元只使用數字就只有十種選擇，加上大小寫字母就有六十二種選擇。如
果再加上ASCII碼，你就有九十五種選擇。

The third component, randomness, is measured by a concept borrowed from
thermodynamics—the notion of entropy (the tendency for things to become
disordered). In information theory, a tossed coin has an entropy of one “bit
” (binary digit). That is because it can come down randomly in one of two
equally possible binary states.

第三個要素是隨機。這個要素借用了熱力學中－熵的概念（事物不確定的程度）。在信息
理論中，擲一枚硬幣就有一個熵數(二進位制)。因為硬幣落下時的正反面機率是公平且隨
機的。

At the other extreme, when you set the encryption of a Wi-Fi link, you are
usually given the choice of 64-bit or even 128-bit security. Those
bit-numbers represent the entropy (or randomness) of the encryption used. A
password with 64 bits of entropy is as strong as a string of data comprising
64 randomly selected binary digits. Put another way, a 64-bit password would
require 2 raised to the power of 64 attempts to crack it by brute force—in
short, 18 billion billion attempts. A 64-bit password was finally cracked in
2002 using brute-force methods. It took a network of volunteers nearly five
years to do so.

當你在Wi-Fi無線網路加密時，你通常可以選擇六十四至一二八位元的密碼。位元數代表
加密的熵數或隨機的程度。六十四位元熵數的強度跟六十四個隨機挑選的二進位數相同。
也就是說六十四位元的密碼需要試二的六十四次方才能用暴力破解，簡而言之就要跑一千
八百京組密碼。一群自發的網友耗時五年左右，終於在二零零二年合力破解了一組六十四
位元的密碼。

The National Institute of Standards and Technology, the American government’
s standards-measuring laboratory in Gaithersburg, Maryland, recommends 80-bit
passwords for state secrets and the like. Such security can be achieved using
passwords with 12 symbols, drawn from the full set of 95 symbols on the
standard American keyboard. For ordinary purposes, that would seem overkill.
A 52-bit password based on eight symbols selected from the standard keyboard
is generally adequate.

馬里蘭州蓋世堡的國家標準與技術研究院建議國家機密應該採用八十位元的密碼。只要用
從美國標準鍵盤的九十五個字符中選取十二個，就可以達到此安全標準，但對一般使用者
來說倒是沒這必要。從鍵盤裡選八個字符，組成五十二位元的密碼就綽綽有餘了。

How to select the eight? Best to let a computer program generate them
randomly for you. Unfortunately, the result will be something like 6sDt%k&3
that probably needs to be written down. One answer, only slightly less
rigorous, is to use a mnemonic constructed from the first letters (plus
contractions) of an easily remembered phrase like “Murder Considered as One
of the Fine Arts” (MCa1otFA) or “To be or not to be: that is the question”
 (2Bo-2b:?).

那我們該選那八種字符呢？雖然最好是交由電腦亂數幫你選，但很不幸，電腦通常會跑出
像是6sDt%k&3這種需要抄下來的密碼。這裡有個較輕鬆的解決辦法，就是利用一段名句的
頭字，像是「Murder Considered as One of the Fine Arts」(MCa1otFA) 或是 「To
be or not to be: that is the question」(2Bo-2b:?)。

Given a robust 52-bit password, you can then use a password manager to take
care of the dozens of easily guessable ones used to access various web
services. There are a number of perfectly adequate products for doing this.
In an early attempt to fulfil his new year’s pledge, your correspondent has
been experimenting with LastPass, a free password manager that works as an
add-on to the Firefox web browser for Windows, Linux or Macintosh. Versions
also exist for Internet Explorer on Windows and Safari on the Mac.

如果你有強力的五十二位元密碼，你就可以用密碼整合軟體來重組易破解的密碼。市面上
有許多好軟體都有這種功能。為了實現新年新希望，筆者試了Firefox的外掛密碼整合程
式LastPass，它可以在Windows, Linux及Machintosh的系統上作業。LastPass另外也有能
在IE或是Safari上作業的版本。

Once installed and given a strong password of its own, plus an e-mail
address, LastPass encrypts all the logons and passwords stored on your
computer. So, be warned: forget your master password and you could be in
trouble—especially if you have let the program delete (as it urges you to
let it do) all the vulnerable logons and passwords on your own computer.

你只要安裝這個軟體，並輸入強力密碼加上電子郵件，LastPass就會自動把你的帳號密碼
加密。但是要注意：如果忘記主密碼，那你的麻煩就大了，尤其是你讓程式刪掉你易被破
解的帳號密碼時，事情會更加棘手。

Thereafter, to visit various web services, all you have to do is log into
LastPass and click the website you wish to check out. The tool then
automatically logs you on securely to the selected site. It will even
complete all the forms needed to buy goods online if you have stored your
home address, telephone number and credit-card details in the vault as well.

所以當你想瀏覽任何網站時，你只要登入LastPass就可以了，這個軟體會自動幫你安全地
轉到其他位置。它甚至可以幫你把網購所需要的資料放在安全的資料庫，這些資料包括你
的住家地址、電話與信用卡資料。

Your correspondent looks forward to using the service while travelling around
Japan over the next month or so. To be on the safe side, however, his
dog-eared list of passwords will still go with him.

筆者希望下個月再去日本時這個軟體就能派上用場，但為了保險起見，他還是會攜帶他那
本破爛的冊子。



--
--
※ 發信站: 批踢踢兔(ptt2.cc)
◆ From: 114.42.88.24
※ enchantive:轉錄至某隱形看板                                     01/10 21:27
※ lightfox:轉錄至看板 lightfox                                    01/10 21:28
※ timling:轉錄至看板 timling                                      01/10 21:29
※ liberalism:轉錄至看板 Pollock                                   01/10 21:32
※ moonblack:轉錄至看板 moonblack                                  01/10 21:35

--

No love,
         no glory
                     No hero in her sky

--
※ 發信站: 批踢踢兔(ptt2.cc)
◆ From: 140.112.25.184
※ SirohAmada:轉錄至某隱形看板                                     01/11 00:56

--
※ 來源: DISP BBS (http://disp.twbbs.org)
※ 作者: uefangsmith  來自: 123.110.210.226  時間: 2010-03-25 23:53:56

※ 編輯: uefangsmith  來自: 123.110.210.226  時間: 2010-03-25 23:55:55