Hey there Zero Cools, Neos and Seatec astronomers, I'm Trace.
嗨,电脑怪杰们,(《黑客帝国》)Neo粉们,《西特克天文学》专辑的发烧友们,大家好,我是Trace。
Thanks for tuning in for some DNews.
感谢大家收看DNews。
Passwords are like apples in a fictional garden, they're perfect, ripe, and there for the taking, if you know how.
密码就像虚构花园里的苹果,完美而成熟,等着你拿走,如果你知道怎么拿走的话。
Websites have a lot of different ways to store passwords,
网站有很多存储密码的方法,
hashing, salting, tokens, two-factor authentication -- we have a whole video about it --
运用散列算法,给密码加盐,加令牌,设置双重认证——我们栏目还专门做了一个视频系统地介绍这个问题——
but hacking a password? That's a lot more fun, right?
但破解密码呢?破解密码要有趣多了,对吧?
So first, for n00bs, passwords aren't stored as words, but as a set of encrypted characters called hashes.
先给小白们解释一下,密码不是以文字的形式,而是以一组名为“散列”的加密字符的形式进行存储的,
They look like this.
就是这个样子的字符。
If you want to access your account,
如果我想进入你的账户,
you don't really need your password, I just have to find the thing that lets me decrypt that hash or at least match it!
不一定非要用你的密码,只要找到能让我破解那个散列的东西,甚至只要匹配上那个散列就可以了!
To do that, hacker communities created 'lookup tables' and 'rainbow tables' -- data files of common passwords that are pre-hashed.
为此,黑客社区创建了“查找表”和“彩虹表”——已经预散列的常见密码数据文件。
Password123 hashed is this.
密码123散列后是这样。
abcde12345 hashed, is this.
abcde12345散列后是这样。
If a hacker did this beforehand, and has millions of passwords, they just compare them and they can get access to your account.
如果一个黑客事先就做了这项工作,手上也已经有数百万个密码了的话,他们只需将这些密码进行比较,就可以进入你的账户。
And hackers can do this comparison really fast.
而且他们能够非常迅速地完成这一比较。
In a test for Ars Technica, a computer could try 350 billion combinations every second!
在为科技门户网站Ars Technica所做的测试中,一台计算机每秒可以尝试3500亿个组合!
350 billion password guesses. Every. Second.
进行3500亿次猜测尝试。只需要一!秒!钟!
How common does your password feel now?
现在你知道你的密码有多普通了吧?
But companies have a weapon against rainbow tables -- it's called "salt!"
但公司们有对付彩虹表的武器——这种武器叫做“盐!”
Not like literal salt.
不是字面上的那个盐啦。
It's basically taking random chunks of code and tossing them into the hashed password.
大体就是往散列密码里加随机的代码块。
As our AP Donna says, "It changes the flavor."
正如美联社的唐娜所说,“味道就变了。”
If salted hashes are found, the rainbow tables are useless, because they'll never find a match!
有了加盐的散列表,彩虹表就没用了,因为他们将永远无法找到匹配的破解码!
Computers aren't great at problem solving, so even this little change can fumble automated hacking programs.
计算机并不擅长解决问题,所以,即便是这种小小的改变,也会让自动的黑客程序陷入混乱。
Without the tables, everything takes longer.
没有了表,干什么都会变得更耗时。
Hackers have to find out how the salt was added --the beginning of each password?
黑客必须弄明白盐是怎么加进去的——是加在了每个密码的开头?
After the 15th character? Is it different for every user?
还是加在了第15个字符之后?是不是每个用户加盐的方式都不一样?
Then they have to figure out what the salt characters are, one encoder bcrypt puts $2a$ at the beginning of every hash…
接下来,他们还要弄清楚盐字符到底是什么,一个编码器加密算法就给每个散列的开头加上了字符串“$2a$”……
But usually, salted passwords are enough to stop a lot of hackers,
但通常,加盐密码就已经能够挡住很多黑客了,
because it's faster to change tack and use dictionary attacks or brute force attacks -- these were made famous in Mr. Robot.
因为改变策略,使用字典破解或暴力破解速度更快——这些在《机器人先生》中都是很有名的攻击方法。
Dictionary attacks use wordlists to take common passwords, like Password123, and just try them out.
字典破解使用文字列表来获取常见的密码,比如Password123,通过这种方式把密码试出来。
They salt and hash them on the fly, and compare them to passwords in the database at the speed of light.
它们能够在运行的时候对密码进行加盐和散列,并以光速将它们与数据库中的密码进行对比。
Brute force attacks are even more crazy,
暴力破解就更夸张了,
they start with say, "aaaa", salt and hash it in various ways and then compare those to the database
打个比方,它们会先从“aaaa”开始,以不同的方式对其进行加盐和散列,然后将其与数据库进行比对,
then "aaab," then "aaac..." you get it. They just try every possible combination. It takes FOREVER.
然后从“aaab”开始再次执行上述步骤,然后“aaac…”。你想的是对的,它们就是在尝试每一种组合。这就不知道要多久才能破解了。
When it comes to simple text, computers are wicked fast.
当涉及到简单的文本时,计算机的速度可以说是非常非常快。
A hacker doing a test for Ars Technica cracked over 10,000 passwords in 16 minutes just trying combinations at random within the password specifications
一名黑客在为Ars Technica做测试时,采用随机组合密码的方式,仅用了16分钟就破解了一万多个密码。
(less than 8 characters, capital letter, lowercase letter, et cetera).
(由少于8个字符的字符,大写字母,小写字母等等组成的密码)。
Hackers are in a constant race against time, not necessarily because the Feds are right over their shoulder like in the movies,
黑客们总是在与时间赛跑,不仅仅是因为就像电影里那样,联邦调查局就在他们屁股后面,
but because once a company or agency realizes they've been hacked,
也因为一旦一家公司或机构意识到自己被黑了,
they usually adjust security and go public, encouraging users to change their passwords.
它们通常就会调整网站的安全级别并公开被黑的消息,鼓励用户更改密码。
Which is why hackers just hack YOU.
这也是为什么黑客只会攻击你的原因。
If you're on an open wifi network without a password, you're basically shouting your passwords for anyone listening to hear.
如果你连了一个没有密码的开放wifi,基本上就等于你在用所有人都能听到那么大的声音告诉大家你的密码。
Some hackers will set up fake "Free WiFi" points to get common passwords and email addresses.
一些黑客还会设置假的“免费WiFi”点来获取常见的密码和邮件地址。
Still, others just use spam!
还有一些黑客直接用垃圾邮件!
If you click on a word document or link in an email, it can execute code on your computer, called malware,
如果你点击一个word文档或一封邮件中的链接,它就能在你的电脑上执行代码,称为“恶意软件”,
to copy everything you type (including passwords, credit card numbers and so on) and send it direct to the hacker.
复制您输入的所有内容(包括密码、信用卡号码等),并将其直接发送给黑客。
And still, others pose as Facebook security, or as a representative of the bank, or as the IT department… some will CALL YOU ON THE PHONE.
还有一些人冒充Facebook安全部门的工作人员,或者银行的代表,或者IT部门的工作人员……有些人甚至会直接给你打电话。
Never EVER give someone your password EVER.
永远永远不要把你的密码告诉他人!永远!
If they're the company, they already have it!
如果对方是公司的话,那他们已经有你的密码了!
Why spend all that time hacking a server if I can just trick you into telling me your password?
如果能通过哄骗的手段套到你的密码,那我干嘛还花那么多时间黑服务器呢?
The moral of the story, other than hacking is crazy, interesting… Is to use long, complicated passwords.
除了黑客行为非常疯狂又很有趣之外,这个故事想要告诉大家的是,要把密码设置得又长又复杂。
And never use the same one twice.
永远不要重复使用同一个密码!
Long passwords are harder for dictionary and wordlist-based attacks to solve quickly.
对于字典和基于文字列表的破解来说,长密码比短密码更难快速破解。
It's actually less important to use Passwords where letters are numbers --
实际上,用数字密码并不那么重要
but instead use a long set of words… Like "correct horse battery staple" or song lyrics --
要把密码设长一点,比如“正确的马电池订书钉”或者歌词——
easy to remember, but so long it would take a hacking program years of computing time to guess!
好记又足够长,这样的密码没有几年的时间是破解不了的!
It's sort of like that old joke about running from a bear, you don't have to be the fastest, you just don't want to be the slowest.
这有点像那个熊口脱险的笑话,你不用跑得最快,只要比最慢的那个快就可以了。。
If you haven't check out the other video we just did about hacking and passwords, do that right here.
如果你还没有看我们不久前做的关于密码破解和密码的视频的话,请点击这里。
And let us know down in the comments if you just changed your password, because I know I did after this.
请在下面的评论中告诉我们,你是否在看过这个视频之后去改了你的密码,因为我自己就改了。
Thanks for tuning in to DNews, please subscribe and come back soon.
感谢大家收看本期DNews,欢迎订阅,我们下期再见。