来源:《新科学家》
原文见刊日期:2022年7月2日
Three-quarters of the world’s most popular English-language websites still allow people to choose the most common passwords such as “abc123456” and “P@$$w0rd”.
世界上四分之三最受欢迎的英语网站仍然允许人们选择最常见的密码,如“abc123456”和“P@$$w0rd”。
More than half of the 120 top-ranked websites also allow all 40 of the most common leaked and easily guessed passwords. The sites include popular shopping portals such as Amazon and Walmart, social media app TikTok, video streaming site Netflix and the company Intuit, maker of the tax-return software TurboTax that millions of people in the US use.
在排名前120的网站中,超过一半的网站还允许所有40个最容易泄露和最容易猜到的密码。这些网站包括亚马逊(Amazon)和沃尔玛(Walmart)等热门购物门户网站、社交媒体应用抖音(TikTok)、视频流媒体网站Netflix以及Intuit公司,后者是数百万美国人使用的纳税申报软件TurboTax的开发商。
Amazon recommends users set up two-step verification and that the company may “require additional authentication challenges during sign-in” if it detects a security risk. Intuit chief architect Alex Balazs said he would investigate the findings and highlighted Intuit’s use of multi-factor authentication and fraud detection.
亚马逊建议用户设置两步验证,如果检测到安全风险,亚马逊可能会“在登录期间要求额外的验证挑战”。Intuit首席架构师亚历克斯•巴拉兹表示,他将研究这些发现,并强调了Intuit使用的多因素认证和欺诈检测。
“It’s tempting to conclude that companies just don’t care about users’ security, but I don’t think that’s right… letting accounts get hacked is not at all in their interest,” says Arvind Narayanan at Princeton University.
普林斯顿大学的阿文德·纳拉亚南说:“很容易得出这样的结论,即企业根本不关心用户的安全,但我认为这是不对的……让账户遭到黑客攻击根本不符合企业的利益。”
To perform the analysis of English-language websites ranked as popular by various internet services, Narayanan and his colleagues manually checked 40 passwords on each site. Using each site’s password requirements, they selected 20 passwords from a randomised sampling of the 100,000 most frequently used passwords found in data breaches, along with the first 20 passwords guessed by a password cracking tool.
纳拉亚南和他的同事对最受欢迎的英文网站进行分析,手动输入40个密码在这些网站上测试。根据每个网站的密码要求,他们从数据泄露中发现的100000个最常用密码随机抽选20个密码,以及密码破解工具使用的前20个密码。
Only 15 websites blocked all 40 of the tested passwords. These included Google, Adobe, GitHub and Grammarly.
只有15个网站屏蔽了所有40个测试密码。其中包括谷歌、Adobe、GitHub和Grammarly。
In 2017, the US National Institute of Standards and Technology released a series of recommendations for websites to follow, such as including strength meters that encourage users to create stronger passwords, maintaining blocklists of leaked and easily guessed passwords and only allowing passwords that are at least eight characters.
2017年,美国国家标准与技术研究所发布了一系列建议,供网站遵循,比如包括鼓励用户创建更强密码的强度指标,维护泄露和容易猜到的密码屏蔽列表,以及只允许至少8个字符的密码。
Just 23 of the 120 most popular websites use strength meters. By comparison, 54 sites still rely on password composition policies that have poor security and usability ratings, such as forcing users to create complex passwords with a specific mix of uppercase and lowercase letters, numbers and symbols. Meanwhile, users can protect themselves by not reusing passwords for their online accounts.
120个最受欢迎的网站中,只有23个使用强度测量表。相比之下,54个网站仍然依赖于安全性和可用性评分较低的密码组合策略,比如强迫用户创建包含特定大小写字母、数字和符号的复杂密码。同时,用户可以通过不同的网站用不同的密码来保护自己。
The researchers remain uncertain about why so many popular websites still have subpar password policies. One possibility is that organisations may prefer spending money on other security measures because it can be difficult to measure the impact of improving password policies, says Sten Sjöberg, a Microsoft security program manager who contributed to the research.
研究人员仍然不确定为什么这么多热门网站的密码策略仍然不合格。参与这项研究的微软安全项目经理斯滕·舍伯格表示,一种可能性是,企业可能更愿意花钱购买其他安全措施,因为很难衡量改进密码策略的影响。