“Donald”（唐納德）又上榜了。這次可不是世界領(lǐng)導(dǎo)人排名，而是“最差密碼”榜單?；诖蠹s500萬個被泄漏的密碼，密碼管理公司SplashData公布了今年的最差密碼“100強”。

“Donald”在這個榜單中排名第23，與之一道上榜的還有“qwerty”（第9）、“password”（第2）和“baseball”（第32）。差中之差是哪個呢？“123456”，它已經(jīng)穩(wěn)居榜首達五年之久。

差密碼都很短，容易猜到，往往包含英文單詞或常見縮寫，而且使用者眾多。如果你設(shè)定的密碼榜上有名，那就趕緊改改吧。

那怎樣才是高強度密碼呢？每個網(wǎng)站都單獨創(chuàng)建一個，較長，而且不是常見的詞語或排列。許多專家現(xiàn)在建議用幾個隨機挑選的單詞組成一個密碼，這是密碼生成器Diceware推廣的技術(shù)。雖然這似乎和常識相?！詣踊浖y道不會嘗試所有這些詞嗎？——但大量的組合以及密碼的長度讓破解這樣的密碼和破解較短、幾乎無法在鍵盤上敲出來或者記住的密碼同樣困難。

密碼管理軟件能按照人們希望的任何方式生成高強度密碼，而這正是SplashData推廣上述榜單的原因之一。它的競爭對手很多，包括蘋果公司和谷歌所有硬件、軟件和瀏覽器中內(nèi)置的支持功能，比如蘋果的iOS、Safari、iCloud和谷歌的安卓系統(tǒng)、Chrome及其他app，另外還有1Password、Dashlane和LastPass。

據(jù)專門公布被破解密碼的網(wǎng)站Have I Been Pwned介紹，過去幾年被盜的賬號超過56億個，這也讓研究者得以深入研究這個問題。

安全專家的建議是，網(wǎng)站不要允許用戶創(chuàng)建很容易破解的密碼，但為了不讓用戶望而卻步，有些網(wǎng)站更傾向于不要求設(shè)置高強度密碼。

不過，也有一些網(wǎng)站制定了復(fù)雜的密碼要求，比如要包含大寫和小寫字母，有一位數(shù)字以及一個符號。而這有可能造成人們選擇 “Password1!”作為密碼——對盜號者來說，這個密碼的破解難度只比“password”大一丁點兒。

在許多數(shù)據(jù)庫，約一半用戶依靠的都是某幾個密碼中的一個。黑客們能破解這些簡單密碼，然后輕而易舉地進入數(shù)百萬甚至數(shù)千萬個賬號中。如果許多用戶在多項服務(wù)中共用一個低強度密碼，盜一個號就可能威脅到他們在許多網(wǎng)站上或諸多服務(wù)中的賬號。（財富中文網(wǎng)）

譯者：Charlie

審校：夏林

“Donald” has joined a new list. Not of world leaders, but of “worst passwords.” The password-management firm SplashData released its annual list of the 100 worst character combinations it found among leaks of about five million passwords.

“Donald” entered the list at position 23. You’ll also find “qwerty” (#9), password (#2), and baseball (#32). The worst of the worst passwords? “123456,” which has been sitting on top of the worst password chart for five years running.

Bad passwords are short, easily guessed, often contain words or common abbreviations, and are used by many other people. If one of yours is on the list, the right time to change it is right now.

What’s a strong password? It’s uniquely created for each site, it’s relatively long, and it’s not a common phrase or sequence. Many experts now recommend a password made up of a few words that are picked at random, a technique popularized by Diceware. While this may seem counter-intuive—couldn’t automated software just try all those words?—the large number of combinations and the length of the password in total makes it as hard to break as a shorter, impossible-to-type or remember sequence.

Password-management software can generate strong passwords according to any desired recipe, and it’s one reason SplashData promotes its list. Competitors abound, including built-in support across Apple’s and Google’s hardware, software, and browsers—iOS, Safari, and iCloud for Apple and Android, Chrome, and other apps for Google—as well as 1Password, Dashlane, and LastPass.

With over 5.6 billion accounts leaked over the last several years, according to the password-breach notification site Have I Been Pwned, researchers have been able to take a good look at the problem.

Security experts recommend that Web sites not allow users to create easily cracked password, but some sites prefer not to deter account creation by requiring something strong.

However, other sites have complex password-formulating requirements—like a mix of upper and lower case, one number, and one symbol—that can lead people to pick “Password1!”, which is only slight harder for intruders to decipher as “password”.

In many databases, about 50% of users rely on one of a handful of passwords. Hackers can crack those simple password and easily gain access to log into millions or tens of millions of accounts. With many users sharing the same, weak password across multiple services, that single breach can jeopardize their accounts at many different sites and services.