Having Trouble Remembering Your Password? Forget About It!記住密碼不是問題！

On December 22， 2022， popular password manager LastPass delivered a hunk of coal1 to its 30 million users： their sensitive information had been compromised2 in a security breach.

2022年12月22日，廣受歡迎的密碼管理器LastPass向其3000萬用戶發布了一條令人沮喪的消息：用戶的敏感信息在一起數據安全事件中遭到泄露。

Password managers， such as LastPass， are services that allow users to generate and store unique passwords for their online accounts. Rather than using the same password for multiple accounts or using weak passwords， password managers allow users to create complex passwords for each of their accounts and store them in a secure， encrypted format. Using one “master password，” a user can automatically log into accounts without having to rely on their own memory.

密碼管理器，如LastPass，所提供的服務就是讓用戶可以為自己的在線賬戶生成并存儲獨特密碼。用戶無需在多個賬戶使用相同的密碼，或使用安全力度弱的密碼。密碼管理器讓用戶可以為每個賬戶創建復雜的密碼，并以安全加密的格式存儲。通過使用一個“主密碼”，用戶可以自動登錄到多個賬戶，而不必依賴自己的記憶力。

Users’ memory （or lack thereof） is an important factor in password security， and for nearly a decade， Jelena Mirkovic， Project Leader at USC’s Information Sciences Institute （ISI）， and her team have studied the memorability and security of passwords， and the way in which these two characteristics are at odds3 with each other.

用戶的記憶力好壞是影響密碼安全的一個重要因素。近10年來，南加州大學信息科學研究所的項目負責人耶萊娜·米爾科維奇及其團隊一直在研究密碼的易記性和安全性，以及兩者之間存在的矛盾。

Relying on one’s memory is what tends to make passwords less secure. Mirkovic and her team have found that users usually take one of two approaches to create a password they can remember. One method is to make a weak password using personal facts （i.e. names and birth dates） that make it easy to remember， but also easy to guess by a hacker.

依賴記憶往往會降低密碼的安全性。米爾科維奇及其團隊發現，用戶在創建易記密碼時，通常會采取以下兩種方法中的一種。其一是使用個人信息（如姓名和出生日期）創建一個弱密碼，雖便于記憶，但也容易被黑客破解。

The other common method is to create a long， complex， relatively secure password， but then use it on a number of different sites， making it less secure because it just takes the breach of one site for the password to become compromised.

另一種常見方法是創建一個長且復雜、相對安全的密碼，但隨后在多個不同的網站上使用，這就降低了密碼的安全性，因為只要有一個網站被攻破，密碼就會泄露。

Through their research， Mirkovic’s team found that users value memorability over security. So they’ve set out to develop methods that help users create memorable and secure passwords.

通過研究，米爾科維奇團隊發現，相較安全性，用戶更注重密碼的易記性。因此，他們決定研發新方法，幫助用戶創建既易記又安全的密碼。

Start with memorability

始于易記性

Mirkovic and her team started this research in 2014. At that time， said Mirkovic， “researchers had been working on passwords， and the research was prolific4. Every conference had a few papers on either a new way to do passwords， or how to measure the strength of passwords， and I thought that we should look at it from a different angle. People had focused a lot on trying to make passwords secure and strong， and less on the memorability of passwords.”

米爾科維奇及其團隊于2014年開始了這項研究。米爾科維奇回憶說，當時，“研究人員已經致力于密碼研究，且成果頗豐。每次會議都有幾篇論文，要么關于設置密碼的新方法，要么關于如何衡量密碼強度，我覺得我們應該換個角度看待這個問題。過去，人們主要關注如何使密碼安全和強大，卻在一定程度上忽視了密碼的易記性。”

She continued， “So we started our research a little backwards. We started by saying ‘we think memorability is important， let’s see how we can improve it.’”

她接著說道：“因此，我們的研究起點有些反其道而行之。我們一開始的想法就是——‘易記性很重要，看看如何改進它’。”

Life Experience Passwords （LEPs）

生活經歷密碼（LEPs）

Working with cognitive scientists and language experts， Mirkovic and her team set out to create an automated authentication5 process that relied on a user’s existing memories.

米爾科維奇團隊與認知科學家和語言專家合作，著手創建了一個基于用戶現有記憶的自動化身份驗證程序。

“The hope was that if we asked people about something that was already in their mind—like a past memory of an event—then memorability would be a given because they already remember it. So we just needed to find a way to elicit6 those memories in a way that was consistent7 enough to build a password.”

“我們所希望的是，通過詢問人們一些他們已經銘記于心的事物，比如對過往事件的記憶，密碼的易記性就能得到保障，因為他們本來就記得這些。所以，我們只需找到一種方法來充分喚起這些記憶，并以一種足夠穩定的方式將其轉化為密碼。”

They ended up with LEPs， a cross between traditional passwords and security questions. Typically， security questions ask the same things， which can make them easy to guess by hackers. For example， said Mirkovic， “They ask the name of your favorite teacher. With a dictionary of names a hacker can easily get that.”

最終，他們開發出了生活經歷密碼，這是結合了傳統密碼和安全問題的一種混合型方案。通常，安全問題都是問一些相同的事情，這使得黑客很容易猜到答案。米爾科維奇舉例說：“他們會問你最喜歡的老師的名字。黑客只要有一個姓名詞典，就能輕易地得到答案。”

Her team asked for several facts about an event chosen by the user. “So if they chose a trip， we would ask ‘where did you go？ who did you go with？ when did you go？’ and so on.”

她的團隊會詢問用戶所選事件的相關事實。“比如，如果他們選擇了一次旅行，我們會問‘你去了哪里？和誰一起去的？什么時候去的？’等等。”

The team transformed these existing memories into a series of questions and answers. The questions were used at authentication time as hints for the user， and the answers became the password.

團隊將這些現有的記憶轉化成一系列問題和答案。這些問題在身份驗證時被用作給用戶的提示，而答案則成為密碼。

The results were outstanding. The team found that LEPs had two to three times higher recall than regular passwords and they are many orders of magnitude stronger than an ideal， random， eight-character password. The one drawback， however， is the amount of time required by the user.

結果令人眼前一亮。研究團隊發現，記起生活經歷密碼的概率是傳統密碼的2—3倍，其安全性也遠勝于隨機生成的8位理想密碼。不過，這種方法也存在一個缺點，那就是用戶需要花費的時間多了。

“For a user， instead of just typing the password it would take them three to five times that amount of time because they are answering multiple questions. So we realized that LEPs are maybe best for protecting very important accounts where you can ask additional questions， and where the user is willing to put in that effort.”

“對用戶而言，由于需要回答多個問題，所需時間可能是直接輸入密碼的3—5倍。因此，我們認識到，生活經歷密碼可能最適合用于保護那些非常重要的賬戶，在這種前提下，你可以設置更多問題，而用戶也愿意為此付出時間。”

Mnemonics8 Passwords （MNPass）

助記密碼（MNPass）

According to Mirkovic， “The question-answer format worked well， but it required some effort from the user. So we thought， ‘let’s see if we can make this work with regular passwords，’ which are just one phrase or one long word.”

米爾科維奇表示：“問答形式固然有效，但用戶需要有所付出。于是，我們考慮能否將這種方法應用于常規密碼，畢竟常規密碼通常只是一個短語或長單詞。”

“We really departed from the notion of ‘give us a blend of uppercase9 and lowercase10 and special characters and digits’ because you just end up with a really complex string of characters that is not memorable.”

“我們摒棄了‘混合使用大小寫字母、特殊字符和數字’的傳統觀念，因為這樣做只會得出一串非常復雜難記的字符。”

Her work with cognitive scientists showed that people remember the important things， but they don’t remember details. “So it’s really hard for them to remember， for example， which special character they put where because it’s such an insignificant detail，” said Mirkovic.

她與認知科學家的合作研究顯示，人們往往會記住重要信息，而忽略細節。她說：“因此，像是把哪個特殊字符放在了哪個位置之類實在微小的細節，人們一一記住確實非常困難。”

Focusing on memorability， the team incorporated mnemonics. A mnemonic is a way of remembering something using a pattern of letters or images.

研究團隊專注于密碼的易記性，引入了助記法，即通過字母或圖像模式來輔助記憶。

In this authentication method， called MNPass， the researchers used a series of letters as prompts to users， and users would come up with the words that they associated with those letters. This string of words would then become the stored password. The next time the user logged in， they would be given those same letters as cues.

在這種叫作 MNPass 的身份驗證法中，研究人員設計了一系列字母作為給用戶的提示。根據這些字母的提示，用戶會聯想到與之相關的單詞。這串單詞隨后會被存儲為密碼。用戶下次登錄時，系統會再次展示相同的字母提示，幫助用戶回憶起密碼。

Some of the words users chose were too common， and could easily be guessed by hackers. Mirkovic had a plan for that： “The second thing we tried was suggesting one of the words. So one of the words would become quite long and rare. For example， let’s say that the letter prompt was M， instead of May， it would suggest meningitis， or something a little longer and less common. And then we would let users choose the rest.”

有些用戶選擇的單詞過于常見，這可能導致黑客輕易猜出密碼。為了解決這個問題，米爾科維奇提出了一個方案：“我們嘗試的第二種方法是為用戶提供一個推薦單詞。這樣，其中一個單詞會是個相對較長且罕見的。假如提示字母為M，推薦詞不會是May（五月），而是像meningitis（腦膜炎）這類略長且較生僻的單詞。然后，我們會讓用戶自行選擇其余的單詞。”

With the incorporation of this additional method， the team found that memorability was not impacted but security increased.

研究團隊發現，引入這種額外的方法后，易記性并未受到影響，安全性卻得到了提升。

The MNPass authentication hits increased recall of passphrases by 30–36% after three days， and by 51–74% after seven days.

使用MNPass身份驗證后，用戶3天后記起密碼短語的概率提高了30 —36%，7天后提高了51—74%。

Password managers of the future

未來的密碼管理器

Mirkovic’s upcoming work involves researching whether it is possible to have a password manager that does not store passwords， but generates passwords. She offered an example of what she hopes to create：

米爾科維奇接下來的研究是探索開發一種新型密碼管理器的可能性，這種管理器不再存儲密碼，而是能夠實時生成密碼。她舉例說明了她的構想：

“If I’m trying to log into email， then I would input my master password and a cue （e.g.， “email” or “Outlook”） and a password would be generated. I could literally have a piece of code on my laptop or phone that would generate it. It’s just like a calculator calculates something， but doesn’t remember any of my inputs.”

“假如我想登錄電子郵箱，我只需輸入我的主密碼和一個提示（比如email或Outlook），然后管理器就會為我生成一個密碼。我的筆記本電腦或手機上可以運行一小段代碼來實現這一功能。這就像是用計算器進行計算一樣，但它只負責運算而不會記住我的任何輸入。”

But in the meantime， she still highly recommends traditional password managers， even in light of the recent LastPass breach， saying， “The LastPass security breach should not discourage users from using password managers， since they vastly increase the security of passwords.”

但與此同時，即便最近發生了LastPass安全漏洞事件，她仍然強烈推薦使用傳統的密碼管理器，并表示：“LastPass安全漏洞事件不應成為阻礙用戶使用密碼管理器的理由，因為密碼管理器極大提高了密碼的安全性。”

Mirkovic continued， “Because systems and software are very complex today， it is not unexpected that any online business can suffer a breach. In those cases， a quick response and a quick， honest information being communicated to users can make a big difference， followed by actions that fix the cause of the breach. LastPass seems to have had a reasonably secure way to store user passwords （encrypted in a vault11）， so I think they are still OK to be trusted by users.”

米爾科維奇進一步解釋道：“由于當今的系統和軟件都非常復雜，任何在線業務都有可能遭遇安全漏洞事件，這并不意外。當這類事件發生時，快速響應并及時、如實地向用戶傳達信息至關重要，緊接著要采取行動來解決導致漏洞的根源問題。LastPass似乎采用了足夠安全的方式來存儲用戶密碼（加密保存在安全系統中），因此，我認為用戶仍然可以信賴LastPass。”

（譯者單位：大連外國語大學高級翻譯學院）

1 a hunk of coal常用來形容一件令人失望、不愉快或糟糕的事物。" 2 compromise泄露（密碼、信息等）。

3 at odds表示兩個或多個事物之間存在沖突、不一致或對立的狀態。" 4 prolific眾多的，大批的。

5 authentication驗證，認證。" 6 elicit引出，誘出。" 7 consistent一致的，連貫的。

8 mnemonics助記術，記憶術。

9 uppercase大寫字母。" 10 lowercase小寫字母。

11 vault此處指用于存放文件或其他數據的安全系統，用于保護其中的信息不被他人訪問。