Having Trouble Remembering Your Password? Forget About It!记住密码不是问题！

On December 22， 2022， popular password manager LastPass delivered a hunk of coal1 to its 30 million users： their sensitive information had been compromised2 in a security breach.

2022年12月22日，广受欢迎的密码管理器LastPass向其3000万用户发布了一条令人沮丧的消息：用户的敏感信息在一起数据安全事件中遭到泄露。

Password managers， such as LastPass， are services that allow users to generate and store unique passwords for their online accounts. Rather than using the same password for multiple accounts or using weak passwords， password managers allow users to create complex passwords for each of their accounts and store them in a secure， encrypted format. Using one “master password，” a user can automatically log into accounts without having to rely on their own memory.

密码管理器，如LastPass，所提供的服务就是让用户可以为自己的在线账户生成并存储独特密码。用户无需在多个账户使用相同的密码，或使用安全力度弱的密码。密码管理器让用户可以为每个账户创建复杂的密码，并以安全加密的格式存储。通过使用一个“主密码”，用户可以自动登录到多个账户，而不必依赖自己的记忆力。

Users’ memory （or lack thereof） is an important factor in password security， and for nearly a decade， Jelena Mirkovic， Project Leader at USC’s Information Sciences Institute （ISI）， and her team have studied the memorability and security of passwords， and the way in which these two characteristics are at odds3 with each other.

用户的记忆力好坏是影响密码安全的一个重要因素。近10年来，南加州大学信息科学研究所的项目负责人耶莱娜·米尔科维奇及其团队一直在研究密码的易记性和安全性，以及两者之间存在的矛盾。

Relying on one’s memory is what tends to make passwords less secure. Mirkovic and her team have found that users usually take one of two approaches to create a password they can remember. One method is to make a weak password using personal facts （i.e. names and birth dates） that make it easy to remember， but also easy to guess by a hacker.

依赖记忆往往会降低密码的安全性。米尔科维奇及其团队发现，用户在创建易记密码时，通常会采取以下两种方法中的一种。其一是使用个人信息（如姓名和出生日期）创建一个弱密码，虽便于记忆，但也容易被黑客破解。

The other common method is to create a long， complex， relatively secure password， but then use it on a number of different sites， making it less secure because it just takes the breach of one site for the password to become compromised.

另一种常见方法是创建一个长且复杂、相对安全的密码，但随后在多个不同的网站上使用，这就降低了密码的安全性，因为只要有一个网站被攻破，密码就会泄露。

Through their research， Mirkovic’s team found that users value memorability over security. So they’ve set out to develop methods that help users create memorable and secure passwords.

通过研究，米尔科维奇团队发现，相较安全性，用户更注重密码的易记性。因此，他们决定研发新方法，帮助用户创建既易记又安全的密码。

Start with memorability

始于易记性

Mirkovic and her team started this research in 2014. At that time， said Mirkovic， “researchers had been working on passwords， and the research was prolific4. Every conference had a few papers on either a new way to do passwords， or how to measure the strength of passwords， and I thought that we should look at it from a different angle. People had focused a lot on trying to make passwords secure and strong， and less on the memorability of passwords.”

米尔科维奇及其团队于2014年开始了这项研究。米尔科维奇回忆说，当时，“研究人员已经致力于密码研究，且成果颇丰。每次会议都有几篇论文，要么关于设置密码的新方法，要么关于如何衡量密码强度，我觉得我们应该换个角度看待这个问题。过去，人们主要关注如何使密码安全和强大，却在一定程度上忽视了密码的易记性。”

She continued， “So we started our research a little backwards. We started by saying ‘we think memorability is important， let’s see how we can improve it.’”

她接着说道：“因此，我们的研究起点有些反其道而行之。我们一开始的想法就是——‘易记性很重要，看看如何改进它’。”

Life Experience Passwords （LEPs）

生活经历密码（LEPs）

Working with cognitive scientists and language experts， Mirkovic and her team set out to create an automated authentication5 process that relied on a user’s existing memories.

米尔科维奇团队与认知科学家和语言专家合作，着手创建了一个基于用户现有记忆的自动化身份验证程序。

“The hope was that if we asked people about something that was already in their mind—like a past memory of an event—then memorability would be a given because they already remember it. So we just needed to find a way to elicit6 those memories in a way that was consistent7 enough to build a password.”

“我们所希望的是，通过询问人们一些他们已经铭记于心的事物，比如对过往事件的记忆，密码的易记性就能得到保障，因为他们本来就记得这些。所以，我们只需找到一种方法来充分唤起这些记忆，并以一种足够稳定的方式将其转化为密码。”

They ended up with LEPs， a cross between traditional passwords and security questions. Typically， security questions ask the same things， which can make them easy to guess by hackers. For example， said Mirkovic， “They ask the name of your favorite teacher. With a dictionary of names a hacker can easily get that.”

最终，他们开发出了生活经历密码，这是结合了传统密码和安全问题的一种混合型方案。通常，安全问题都是问一些相同的事情，这使得黑客很容易猜到答案。米尔科维奇举例说：“他们会问你最喜欢的老师的名字。黑客只要有一个姓名词典，就能轻易地得到答案。”

Her team asked for several facts about an event chosen by the user. “So if they chose a trip， we would ask ‘where did you go？ who did you go with？ when did you go？’ and so on.”

她的团队会询问用户所选事件的相关事实。“比如，如果他们选择了一次旅行，我们会问‘你去了哪里？和谁一起去的？什么时候去的？’等等。”

The team transformed these existing memories into a series of questions and answers. The questions were used at authentication time as hints for the user， and the answers became the password.

团队将这些现有的记忆转化成一系列问题和答案。这些问题在身份验证时被用作给用户的提示，而答案则成为密码。

The results were outstanding. The team found that LEPs had two to three times higher recall than regular passwords and they are many orders of magnitude stronger than an ideal， random， eight-character password. The one drawback， however， is the amount of time required by the user.

结果令人眼前一亮。研究团队发现，记起生活经历密码的概率是传统密码的2—3倍，其安全性也远胜于随机生成的8位理想密码。不过，这种方法也存在一个缺点，那就是用户需要花费的时间多了。

“For a user， instead of just typing the password it would take them three to five times that amount of time because they are answering multiple questions. So we realized that LEPs are maybe best for protecting very important accounts where you can ask additional questions， and where the user is willing to put in that effort.”