“The puppy’s name can bewhatever you want”, the father in the Bizarro comic tells his son, “but makesure it is something memorable. You’ll be using it as a security questionanswer for the rest of your life.”

“这只小狗的名字你可以随便取，”漫画Bizarro中的父亲告诉儿子，“但要确保能记住。因为你一辈子都要把它作为安全问题的答案。”

Unfortunately the name givento the dog — say, Poppy — may or may not have been encrypted when it was leakedamong details of 500m Yahoo accounts, which included the answers to securityquestions about first pets. The dog’s name was probably also used as a passwordat some point as people often use pets’ names — maybe with a couple of numbersat the end.

不幸的是，在成为遭到泄露的雅虎(Yahoo) 5亿账户细节（其中包括有关你的第一只宠物的安全问题的答案）之一时，这只狗的名字（例如Poppy）可能已经加密，也可能没有加密。这只狗的名字也可能被用作了密码，因为人们常常喜欢把宠物的名字用作密码，可能后面会加上两个数字。

“Poppy95” is not a securepassword but it is fairly typical and it illustrates an uncomfortable fact: ourcrummy password construction is predictable. And with large breaches of popularwebsites, hackers are getting to know us better than ever.

“Poppy95”并非一个安全的密码，但它相当普遍，而且说明了一个令人不安的事实：我们随随便便的密码结构是可以预测的。而且，随着一些颇受欢迎的网站遭遇大规模数据泄露，黑客对我们的习惯了解得很。

People often pick animals(“monkey”), keyboard patterns (“zxcvbn”), dad jokes (“letmein”), sports teams(“liverpool”) and angst (“whatever”). All proved popular with users of theadultery site, Ashley Madison, hacked last year. In case you are thinking onlyadulterers use weak passwords, many of these also showed up in a leak from theLast.fm music service which surfaced more recently.

人们经常选择动物（monkey）、键盘模式（zxcvbn）、蹩脚笑话（letmein）、运动队（liverpool）和焦虑（whatever）作为密码。事实证明，所有这些密码在去年遭到黑客攻击的成人网站Ashley Madison用户中颇受欢迎。如果你认为只有成人网站用户才使用这么不安全的密码的话，你就错了，其中很多还出现在最近才曝出的音乐服务网站Last.fm数据泄露事件中。

Both breaches — estimated atabout 30m-40m each — are dwarfed by the 164m LinkedIn and 360m MySpace accountsthat appeared in May.

今年5月曝出的LinkedIn（1.64亿个账户）和MySpace（3.60亿个账户）泄密事件令上述两起泄密事件（据估计泄密账户分别达3000万至4000万左右）相形见绌。

Passwords are valuable tohackers in a couple of indirect ways. First, most people — about 60 per cent bysome estimates — reuse passwords. This means the login details from one site canbe tried out on more valuable sites — financial accounts, for example, orpeople’s work. And, combined with details such as previous addresses obtainedfrom a retailer and a date of birth from the Yahoo hack or Facebook, they maybe used to obtain credit fraudulently.

密码对黑客很有价值，这表现在两种间接的方式上。首先，多数人（根据一些估计约为60%）会重复使用密码。这意味着，一个网站的登录细节可能会在更有价值的网站上使用：例如金融账户或人们的工作。结合从零售商获取的以前的地址以及从雅虎或Facebook获取的生日日期，这些密码可能会被用来骗贷。

Second, the data sets can beadded to “dictionaries” comprising actual dictionaries, tens of thousands ofbooks and all of Wikipedia, which can be used to crack passwords.

其次，这些数据集合可以加入包括正规词典、数万册书和维基百科(Wikipedia)全部内容的“字典”，可以用来破解密码。

If you are thinking: “I mayuse the same base password but I change it a bit for different websites”, well,I have a research paper for you. A group from the University of Illinois atUrbana-Champaign and elsewhere looked at the often simplistic changes peoplemake. Using passwords for the same users from different leaks, they were ableto guess almost a third of the transformed passwords within 100 or fewerattempts. Popular changes involved two to three appended characters. Keyboardsequence changes, capitalisation changes and “leet speak” — changing s to $,say — were also common.

如果你在想：“我可能会使用同样的基础密码，但会在不同网站稍作改动”，好吧，这里有一份研究论文给你看。来自伊利诺伊大学香槟分校(University of Illinois atUrbana-Champaign‎)和其他机构的研究人员考察了人们常常会做出的过分简单的改动。利用来自不同网站泄密的同一用户的密码，他们能够在100次或更少次尝试后猜出近三分之一更改后的密码。常见的更改包括后面加2到3个字符。键盘顺序变化、大小写变动以及“黑客文”（例如，把S变成$）也很常见。

Unfortunately, passwordstrength meters aren’t much help as they underestimate hackers’ understandingof users’ habits.

不幸的是，密码强度检测工具帮助不大，因为它们低估了黑客对用户习惯的了解。

In an ideal world, websiteowners would strengthen their own security to protect users. But if theircustomers use weak passwords — or reuse strong ones on other, less secure sites— there’s only so much they can do.

在理想世界中，网站所有者会增强网站安全以保护用户。但如果它们的客户使用不安全密码，或在另一个不那么安全的网站重复使用高强度的密码，它们能做的也就很有限了。

There is some encouragement tobe had, though. University researchers from Pennsylvania tested whether peoplecould correctly identify the more secure password among pairs, where “security”is “guessability” using cracking tools. Participants did reasonably well —identifying the benefits of capitals, digits and symbols in the middle of apassword, and avoiding names.

然而，还是有一些可喜的事情。宾夕法尼亚州的大学研究人员测试了人们能否准确识别一对密码中更安全的密码，在这里，安全是指利用破解密码工具的“可猜测性”。参与者的表现非常好，他们认识到密码中间加入大写字母、数字和符号会更安全，同时要避免使用名字。

However, they alsooverestimated the usefulness of appending digits, incorrectly selecting“astley123” as more secure than “astleyabc”. The former is easier to crackbecause of the pervasiveness of the pattern of appending digits — hence theproblem with the variant of Poppy’s name.

然而，他们也高估了后缀数字的用处，他们不正确地认为“astley123”比“astleyabc”更安全。前者更容易破解，因为后缀数字模式很普遍，这就是“Poppy”名字后面加上数字的问题。

Participants also“underestimated the poor security properties of building a password aroundcommon keyboard patterns and common phrases”. They wrongly believed that“iloveyou88” is stronger than “ieatkale88” (which frankly seems like anexcellent name for a dog).

参与者还“低估了根据常见的键盘模式和常见短语设置密码的糟糕安全性”。他们错误地认为“iloveyou88”比“ieatkale88”（坦率的来说，这似乎是一个不错的狗狗名字）更安全。

The researchers concluded thatsuch misunderstandings, and poor password choices generally, stem from anunderestimation of the risk of potential attacks and a lack of knowledge abouthow dangerously common certain construction techniques are. Which is notsurprising, they note, as we don’t often see one another’s passwords.Unfortunately, hackers do.

研究人员总结称，这些误解以及不安全的密码选择，一般来自于对潜在攻击风险的低估和对某些密码设置方法的普遍性和危险性缺乏认识。他们指出，这并不意外，因为我们不会经常看到别人的密码。不幸的是，黑客会经常看到。