2018年最差密码：“123456”依旧排名第一，“donald”光荣上榜

“Donald”（唐纳德）又上榜了。这次可不是世界领导人排名，而是“最差密码”榜单。基于大约500万个被泄漏的密码，密码管理公司SplashData公布了今年的最差密码“100强”。

“Donald”在这个榜单中排名第23，与之一道上榜的还有“qwerty”（第9）、“password”（第2）和“baseball”（第32）。差中之差是哪个呢？“123456”，它已经稳居榜首达五年之久。

差密码都很短，容易猜到，往往包含英文单词或常见缩写，而且使用者众多。如果你设定的密码榜上有名，那就赶紧改改吧。

那怎样才是高强度密码呢？每个网站都单独创建一个，较长，而且不是常见的词语或排列。许多专家现在建议用几个随机挑选的单词组成一个密码，这是密码生成器Diceware推广的技术。虽然这似乎和常识相悖——自动化软件难道不会尝试所有这些词吗？——但大量的组合以及密码的长度让破解这样的密码和破解较短、几乎无法在键盘上敲出来或者记住的密码同样困难。

密码管理软件能按照人们希望的任何方式生成高强度密码，而这正是SplashData推广上述榜单的原因之一。它的竞争对手很多，包括苹果公司和谷歌所有硬件、软件和浏览器中内置的支持功能，比如苹果的iOS、Safari、iCloud和谷歌的安卓系统、Chrome及其他app，另外还有1Password、Dashlane和LastPass。

据专门公布被破解密码的网站Have I Been Pwned介绍，过去几年被盗的账号超过56亿个，这也让研究者得以深入研究这个问题。

安全专家的建议是，网站不要允许用户创建很容易破解的密码，但为了不让用户望而却步，有些网站更倾向于不要求设置高强度密码。

不过，也有一些网站制定了复杂的密码要求，比如要包含大写和小写字母，有一位数字以及一个符号。而这有可能造成人们选择 “Password1!”作为密码——对盗号者来说，这个密码的破解难度只比“password”大一丁点儿。

在许多数据库，约一半用户依靠的都是某几个密码中的一个。黑客们能破解这些简单密码，然后轻而易举地进入数百万甚至数千万个账号中。如果许多用户在多项服务中共用一个低强度密码，盗一个号就可能威胁到他们在许多网站上或诸多服务中的账号。（财富中文网）

译者：Charlie

审校：夏林

“Donald” has joined a new list. Not of world leaders, but of “worst passwords.” The password-management firm SplashData released its annual list of the 100 worst character combinations it found among leaks of about five million passwords.

“Donald” entered the list at position 23. You’ll also find “qwerty” (#9), password (#2), and baseball (#32). The worst of the worst passwords? “123456,” which has been sitting on top of the worst password chart for five years running.

Bad passwords are short, easily guessed, often contain words or common abbreviations, and are used by many other people. If one of yours is on the list, the right time to change it is right now.

What’s a strong password? It’s uniquely created for each site, it’s relatively long, and it’s not a common phrase or sequence. Many experts now recommend a password made up of a few words that are picked at random, a technique popularized by Diceware. While this may seem counter-intuive—couldn’t automated software just try all those words?—the large number of combinations and the length of the password in total makes it as hard to break as a shorter, impossible-to-type or remember sequence.

Password-management software can generate strong passwords according to any desired recipe, and it’s one reason SplashData promotes its list. Competitors abound, including built-in support across Apple’s and Google’s hardware, software, and browsers—iOS, Safari, and iCloud for Apple and Android, Chrome, and other apps for Google—as well as 1Password, Dashlane, and LastPass.

With over 5.6 billion accounts leaked over the last several years, according to the password-breach notification site Have I Been Pwned, researchers have been able to take a good look at the problem.

Security experts recommend that Web sites not allow users to create easily cracked password, but some sites prefer not to deter account creation by requiring something strong.

However, other sites have complex password-formulating requirements—like a mix of upper and lower case, one number, and one symbol—that can lead people to pick “Password1!”, which is only slight harder for intruders to decipher as “password”.

In many databases, about 50% of users rely on one of a handful of passwords. Hackers can crack those simple password and easily gain access to log into millions or tens of millions of accounts. With many users sharing the same, weak password across multiple services, that single breach can jeopardize their accounts at many different sites and services.