|
|
LorrieCranor_2014X-_你的密码有什么问题_
|
| I am a computer science and engineering professor here at Carnegie Mellon, and my research focuses on usable privacy and security, and so my friends like to give me examples of their frustrations with computing systems, especially frustrations related to unusable privacy and security. |
[00:12] |
|
computer science:n.计算机科学; engineering:n.工程;工程学;v.密谋策划;设计制造;改变…的基因;(engineer的现在分词) privacy:n.隐私;秘密;隐居;隐居处; frustrations:n.沮丧;受阻;阻止;挫败;(frustration的复数) computing:n.计算;计算机技术;信息处理技术;v.计算;求出;(compute的现在分词) especially:adv.尤其;特别;格外;十分; unusable:adj.不能用的;与众不同的;
|
| So passwords are something that I hear a lot about. |
[00:32] |
| A lot of people are frustrated with passwords, and it's bad enough when you have to have one really good password that you can remember but nobody else is going to be able to guess. |
[00:35] |
|
frustrated:adj.失意的,挫败的;泄气的;v.挫败;阻挠;(frustrate的过去式和过去分词)
|
| But what do you do when you have accounts on a hundred different systems and you're supposed to have a unique password for each of these systems? |
[00:47] |
|
supposed:adj.误信的;所谓的;v.认为;假设;设想;(suppose的过去分词和过去式) unique:adj.独特的,稀罕的;[数]唯一的;n.独一无二的人或物;
|
| It's tough. |
[00:56] |
| At Carnegie Mellon, they used to make it actually pretty easy for us to remember our passwords. |
[00:58] |
| The password requirement up through 2009 was just that you had to have a password with at least one character. |
[01:03] |
| Pretty easy. But then they changed things, and at the end of 2009, they announced that we were going to have a new policy , and this new policy required |
[01:10] |
|
policy:n.政策,方针;保险单;
|
| passwords that were at least eight characters long, with an uppercase letter, lowercase letter, a digit , a symbol , you couldn't use the same character more than three times, and it wasn't allowed to be in a dictionary. |
[01:19] |
|
uppercase:vt.以大写字母印刷;adj.大写字母的;n.大写字母; lowercase:n.小写字母;小写字体;adj.小写字体的;vt.用小写字体书写; digit:n.数字;手指或足趾;一指宽; symbol:n.象征;符号;标志;
|
| Now, when they implemented this new policy, a lot of people, my colleagues and friends, came up to me and they said, Wow, now that's really unusable. |
[01:30] |
|
implemented:v.使生效;贯彻;执行;实施;(implement的过去式和过去分词) colleagues:n.同事;同行(colleague的复数);
|
| Why are they doing this to us, and why didn't you stop them? |
[01:38] |
| And I said, Well, you know what? |
[01:41] |
| They didn't ask me. |
[01:42] |
| But I got curious , and I decided to go talk to the people in charge of our computer systems and find out what led them to introduce this new policy, and they said that the university had joined a consortium of universities, and one of the requirements of membership was that we had to have stronger passwords that complied with some new requirements, and these requirements were that our passwords had to have a lot of entropy . |
[01:44] |
|
curious:adj.好奇的,有求知欲的;古怪的;爱挑剔的; in charge of:负责;主管; consortium:n.财团;联合;合伙; membership:n.成员资格;(统称)会员;会员人数; complied:v.遵照(comply的过去式和过去分词); entropy:n.[热]熵(热力学函数);
|
| Now entropy is a complicated term, but basically it measures the strength of passwords. |
[02:09] |
|
complicated:adj.复杂的;难懂的;v.使复杂化;(complicate的过去分词和过去式) basically:adv.主要地,基本上;
|
| But the thing is, there isn't actually a standard measure of entropy. |
[02:14] |
|
standard:n.标准;水准;旗;度量衡标准;adj.标准的;合规格的;公认为优秀的;
|
| Now, the National Institute of Standards and Technology has a set of guidelines which have some rules of thumb for measuring entropy, but they don't have anything too specific , and the reason they only have rules of thumb |
[02:18] |
|
Institute:v.开始(调查);制定;创立;提起(诉讼);n.学会,协会;学院; Standards:n.标准,水平,规格(standard的复数) Technology:n.技术;工艺;术语; guidelines:n.指导方针;参考; thumb:v.翻阅;以拇指拨弄;作搭车手势;笨拙地摆弄;n.拇指; specific:adj.特殊的,特定的;明确的;详细的;[药]具有特效的;n.特性;细节;特效药;
|
| is it turns out they don't actually have any good data on passwords. |
[02:31] |
| In fact, their report states, |
[02:36] |
| Unfortunately , we do not have much data on the passwords users choose under particular rules. |
[02:38] |
|
Unfortunately:adv.不幸地;
|
| NIST would like to obtain more data on the passwords users actually choose, but system administrators are understandably reluctant to reveal password data to others. |
[02:43] |
|
obtain:vi.获得;流行;vt.获得; administrators:n.[管理]管理员;完全程序(administrator的复数形式); understandably:adv.可理解地; reluctant:adj.不情愿的;勉强的;顽抗的; reveal:v.显示;透露;揭露;泄露;n.揭露;暴露;门侧,窗侧;
|
| So this is a problem, but our research group looked at it as an opportunity. |
[02:53] |
| We said, Well, there's a need for good password data. |
[02:58] |
| Maybe we can collect some good password data and actually advance the state of the art here. |
[03:02] |
|
state of the art:adj.最先进的;已经发展的;达到最高水准的;
|
| So the first thing we did is, we got a bag of candy bars and we walked around campus and talked to students, faculty and staff, and asked them for information about their passwords. |
[03:06] |
|
campus:n.(大学)校园;大学,大学生活;校园内的草地; faculty:n.科,系;能力;全体教员;
|
| Now we didn't say, Give us your password. |
[03:17] |
| No, we just asked them about their password. |
[03:20] |
| How long is it? Does it have a digit? |
[03:22] |
| Does it have a symbol? |
[03:24] |
| And were you annoyed at having to create a new one last week? |
[03:25] |
|
annoyed:adj.恼怒;生气;烦恼;v.使恼怒;使生气;打扰;骚扰(annoy的过去分词和过去式)
|
| So we got results from 470 students, faculty and staff, and indeed we confirmed that the new policy was very annoying , but we also found that people said they felt more secure with these new passwords. |
[03:30] |
|
annoying:adj.烦人的;使生气的;使烦恼的;v.使生气;打扰;骚扰;(annoy的现在分词)
|
| We found that most people knew they were not supposed to write their password down, and only 13 percent of them did, but disturbingly , 80 percent of people said they were reusing their password. |
[03:43] |
|
disturbingly:adv.令人不安地;动摇地;
|
| Now, this is actually more dangerous than writing your password down, because it makes you much more susceptible to attackers . |
[03:54] |
|
susceptible:adj.易受影响的;易感动的;容许…的;n.易得病的人; attackers:n.攻击者;进攻者;
|
| So if you have to, write your passwords down, but don't reuse them. |
[04:01] |
| We also found some interesting things about the symbols people use in passwords. |
[04:06] |
|
symbols:n.符号;象征;标志;符号表(symbol的复数);
|
| So CMU allows 32 possible symbols, but as you can see , there's only a small number that most people are using, so we're not actually getting very much strength from the symbols in our passwords. |
[04:11] |
|
as you can see:正如你所看到的;你是知道的;
|
| So this was a really interesting study, and now we had data from 470 people, but in the scheme of things, that's really not very much password data, and so we looked around to see where could we find additional password data? |
[04:23] |
|
scheme:n.计划;方案;体系;体制;阴谋;v.密谋;图谋;想;认为; additional:adj.附加的,额外的;
|
| So it turns out there are a lot of people going around stealing passwords, and they often go and post these passwords on the Internet. |
[04:37] |
| So we were able to get access to some of these stolen password sets. |
[04:45] |
| This is still not really ideal for research, though, because it's not entirely clear where all of these passwords came from, or exactly what policies were in effect when people created these passwords. |
[04:50] |
|
policies:n.政策;方针;原则;为人之道;保险单(policy的复数)
|
| So we wanted to find some better source of data. |
[05:01] |
|
source:n.来源;水源;原始资料;
|
| So we decided that one thing we could do is we could do a study and have people actually create passwords for our study. |
[05:05] |
| So we used a service called Amazon Mechanical Turk, and this is a service where you can post a small job online that takes a minute, a few minutes, an hour, and pay people, a penny, ten cents, a few dollars, to do a task for you, |
[05:12] |
|
Amazon:亚马逊;古希腊女战士; Mechanical:adj.机械的;力学的;呆板的;无意识的;手工操作的;
|
| So we paid people about 50 cents to create a password following our rules and answering a survey , and then we paid them again to come back two days later and log in using their password and answering another survey. |
[05:27] |
|
survey:n.调查;测量;审视;纵览;vt.调查;勘测;俯瞰;vi.测量土地;
|
| So we did this, and we collected 5,000 passwords, and we gave people a bunch of different policies to create passwords with. |
[05:40] |
|
a bunch of:一群;一束;一堆;
|
| So some people had a pretty easy policy, we call it Basic8, and here the only rule was that your password had to have at least eight characters. |
[05:49] |
| Then some people had a much harder policy, and this was very similar to the CMU policy, that it had to have eight characters including uppercase, lowercase, digit, symbol, and pass a dictionary check. |
[05:58] |
| And one of the other policies we tried, and there were a whole bunch more, but one of the ones we tried was called Basic16, and the only requirement here was that your password had to have at least 16 characters. |
[06:09] |
| All right, so now we had 5,000 passwords, and so we had much more detailed information. |
[06:20] |
| Again we see that there's only a small number of symbols that people are actually using in their passwords. |
[06:26] |
| We also wanted to get an idea of how strong the passwords were that people were creating, but as you may recall , there isn't a good measure of password strength. |
[06:33] |
|
recall:v.记起;回想起;使想到;勾起;召回;n.记忆力;记性;回归请求;回收令;
|
| So what we decided to do was to see how long it would take to crack these passwords using the best cracking tools that the bad guys are using, or that we could find information about in the research literature . |
[06:42] |
|
cracking:n.破裂;开裂;adj.裂解的;分裂的; literature:n.文学;文献;文艺;著作;
|
| So to give you an idea of how bad guys go about cracking passwords, they will steal a password file that will have all of the passwords in kind of a scrambled form, called a hash, and so what they'll do is they'll make a guess as to what a password is, run it through a hashing function, and see whether it matches the passwords they have on their stolen password list. |
[06:54] |
|
scrambled:v.爬,攀登;争抢;抢占;争夺;(scramble的过去式和过去分词) hashing:v."hash"的现在分词;
|
| So a dumb attacker will try every password in order. |
[07:18] |
|
dumb:adj.哑的,无说话能力的;不说话的,无声音的;
|
| They'll start with AAAAA and move on to AAAAB, and this is going to take a really long time before they get any passwords that people are really likely to actually have. |
[07:21] |
| A smart attacker, on the other hand , does something much more clever. |
[07:31] |
|
on the other hand:另一方面;
|
| They look at the passwords that are known to be popular from these stolen password sets, and they guess those first. |
[07:34] |
| So they're going to start by guessing password, and then they'll guess I love you, and monkey, and 12345678, because these are the passwords that are most likely for people to have. |
[07:41] |
| In fact, some of you probably have these passwords. |
[07:52] |
| So what we found by running all of these 5,000 passwords we collected through these tests to see how strong they were, we found that the long passwords were actually pretty strong, and the complex passwords were pretty strong too. |
[07:57] |
|
complex:adj.复杂的;合成的;n.复合体;综合设施;
|
| However, when we looked at the survey data, we saw that people were really frustrated by the very complex passwords, and the long passwords were a lot more usable, and in some cases, they were actually even stronger than the complex passwords. |
[08:13] |
| So this suggests that, instead of telling people that they need to put all these symbols and numbers and crazy things into their passwords, we might be better off just telling people to have long passwords. |
[08:27] |
| Now here's the problem, though: |
[08:39] |
| Some people had long passwords that actually weren't very strong. |
[08:41] |
| You can make long passwords that are still the sort of thing that an attacker could easily guess. |
[08:45] |
| So we need to do more than just say long passwords. |
[08:50] |
| There has to be some additional requirements, and some of our ongoing research is looking at what additional requirements we should add to make for stronger passwords that also are going to be easy for people to remember and type. |
[08:54] |
|
ongoing:n.发展; adj.持续存在的;
|
| Another approach to getting people to have stronger passwords is to use a password meter. |
[09:08] |
|
approach:n.方法;路径;v.接近;建议;着手处理;
|
| Here are some examples. |
[09:12] |
| You may have seen these on the Internet when you were creating passwords. |
[09:14] |
| We decided to do a study to find out whether these password meters actually work. |
[09:18] |
| Do they actually help people have stronger passwords, and if so, which ones are better? |
[09:23] |
| So we tested password meters that were different sizes, shapes, colors, different words next to them, and we even tested one that was a dancing bunny . |
[09:28] |
|
bunny:n.(儿语)兔子
|
| As you type a better password, the bunny dances faster and faster. |
[09:38] |
| So this was pretty fun. |
[09:42] |
| What we found was that password meters do work. |
[09:44] |
| (Laughter) |
[09:49] |
| Most of the password meters were actually effective , and the dancing bunny was very effective too, but the password meters that were the most effective were the ones that made you work harder before they gave you that thumbs up and said you were doing a good job, and in fact we found that most o f the password meters on the Internet today are too soft. |
[09:51] |
|
effective:adj.有效的,起作用的;实际的,实在的;给人深刻印象;
|
| They tell you you're doing a good job too early, and if they would just wait a little bit before giving you that positive feedback , you probably would have better passwords. |
[10:10] |
|
positive:adj.积极的;[数]正的,[医][化学]阳性的;确定的;n.正数;[摄]正片; feedback:n.反馈;反馈意见;回授;[电子]反馈;
|
| Now another approach to better passwords, perhaps, is to use pass phrases instead of passwords. |
[10:20] |
| So this was an xkcd cartoon from a couple of years ago, and the cartoonist suggests that we should all use pass phrases, and if you look at the second row of this cartoon, you can see the cartoonist is suggesting that the pass phrase correct horse battery staple would be a very strong pass phrase and something really easy to remember. |
[10:27] |
|
cartoonist:n.漫画家; battery:n.[电]电池,蓄电池;n.[法]殴打;n.[军]炮台,炮位; staple:n.主要产品; adj.主要的,常用的; v.把…分级;
|
| He says, in fact, you've already remembered it. |
[10:47] |
| And so we decided to do a research study to find out whether this was true or not. |
[10:50] |
| In fact, everybody who I talk to, who I mention I'm doing password research, they point out this cartoon. |
[10:54] |
| Oh, have you seen it? That xkcd. |
[10:59] |
| Correct horse battery staple. |
[11:01] |
| So we did the research study to see what would actually happen. |
[11:03] |
| So in our study, we used Mechanical Turk again, and we had the computer pick the random words in the pass phrase. |
[11:07] |
|
random:adj.[数]随机的;任意的;胡乱的;n.随意;adv.胡乱地;
|
| Now the reason we did this is that humans are not very good at picking random words. |
[11:15] |
| If we asked a human to do it, they would pick things that were not very random. |
[11:19] |
| So we tried a few different conditions. |
[11:24] |
| In one condition, the computer picked from a dictionary of the very common words in the English language, and so you'd get pass phrases like try there three come. |
[11:26] |
| And we looked at that, and we said, |
[11:35] |
| Well, that doesn't really seem very memorable . |
[11:37] |
|
memorable:adj.显著的,难忘的;值得纪念的;
|
| So then we tried picking words that came from specific parts of speech, so how about noun-verb-adjective-noun. |
[11:40] |
| That comes up with something that's sort of sentence-like. |
[11:47] |
| So you can get a pass phrase like plan builds sure power or end determines red drug. |
[11:49] |
|
determines:v.查明;测定;准确算出;决定;裁决;安排;(determine的第三人称单数)
|
| And these seemed a little bit more memorable, and maybe people would like those a little bit better. |
[11:55] |
| We wanted to compare them with passwords, and so we had the computer pick random passwords, and these were nice and short, but as you can see, they don't really look very memorable. |
[12:01] |
|
compare:v.比较;对比;n.比较;
|
| And then we decided to try something called a pronounceable password. |
[12:11] |
|
pronounceable:adj.读得出的;可发音的;可断言的;
|
| So here the computer picks random syllables and puts them together so you have something sort of pronounceable, like tufritvi and vadasabi. |
[12:14] |
|
syllables:n.[语]音节;(syllable的复数)
|
| That one kind of rolls off your tongue. |
[12:23] |
| So these were random passwords that were generated by our computer. |
[12:25] |
|
generated:v.产生;引起;(generate的过去式和过去分词)
|
| So what we found in this study was that, surprisingly , pass phrases were not actually all that good. |
[12:30] |
|
surprisingly:adv.令人惊讶地;出乎意料地
|
| People were not really better at remembering the pass phrases than these random passwords, and because the pass phrases are longer, they took longer to type and people made more errors while typing them in. |
[12:37] |
| So it's not really a clear win for pass phrases. |
[12:50] |
| Sorry, all of you xkcd fans. |
[12:53] |
| On the other hand, we did find that pronounceable passwords worked surprisingly well, and so we actually are doing some more research to see if we can make that approach work even better. |
[12:56] |
| So one of the problems with some of the studies that we've done is that because they're all done using Mechanical Turk, these are not people's real passwords. |
[13:07] |
| They're the passwords that they created or the computer created for them for our study. |
[13:15] |
| And we wanted to know whether people would actually behave the same way with their real passwords. |
[13:20] |
|
behave:v.表现;(机器等)运转;举止端正;(事物)起某种作用;
|
| So we talked to the information security office at Carnegie Mellon and asked them if we could have everybody's real passwords. |
[13:26] |
| Not surprisingly, they were a little bit reluctant to share them with us, but we were actually able to work out a system with them where they put all of the real passwords for 25,000 CMU students, faculty and staff, into a locked computer in a locked room, not connected to the Internet, and they ran code on it that we wrote to analyze these passwords. |
[13:34] |
|
analyze:v.对…进行分析,分解(等于analyse);
|
| They audited our code. |
[13:53] |
|
audited:adj.受审查的;受审计的;v.审计;旁听(audit的过去分词);
|
| They ran the code. |
[13:54] |
| And so we never actually saw anybody's password. |
[13:55] |
| We got some interesting results, and those of you Tepper students in the back will be very interested in this. |
[14:00] |
| So we found that the passwords created by people affiliated with the school of computer science were actually 1.8 times stronger than those affiliated with the business school . |
[14:06] |
|
affiliated:adj.附属的;有关连的;v.使隶属;加入;(affiliate的过去式和过去分词) business school:n.(大学里针对毕业生的)工商学院;
|
| We have lots of other really interesting demographic information as well. |
[14:18] |
|
demographic:adj.人口统计学的;人口学的;
|
| The other interesting thing that we found is that when we compared the Carnegie Mellon passwords to the Mechanical Turk-generated passwords, there was actually a lot of similarities , and so this helped validate our research method and show that actually, collecting passwords using these Mechanical Turk studies is actually a valid way to study passwords. |
[14:22] |
|
compared:adj.比较的,对照的; v.相比; (compare的过去式和过去分词) similarities:n.相仿性;类似性;相像处;(similarity的复数) validate:v.证实;确认;使生效;批准;认可;
|
| So that was good news. |
[14:41] |
| Okay, I want to close by talking about some insights I gained while on sabbatical last year in the Carnegie Mellon art school. |
[14:43] |
|
insights:n.洞察力;眼力;深刻见解(insight的复数); sabbatical:adj.安息日的;n.休假(美国某些大学给大学教师每七年一次的);
|
| One of the things that I did is I made a number of quilts, and I made this quilt here. |
[14:51] |
| It's called Security Blanket . |
[14:55] |
|
Security Blanket:安全毯;带给人安全感的熟悉的物体;
|
| (Laughter) |
[14:57] |
| And this quilt has the 1,000 most frequent passwords stolen from the RockYou website. |
[14:59] |
|
frequent:adj.频繁的;经常发生的;v.常到(某处);
|
| And the size of the passwords is proportional to how frequently they appeared in the stolen dataset . |
[15:07] |
|
proportional to:与…相称,与…成比例; frequently:adv.频繁地,经常地;时常,屡次; dataset:na.数据集;数传机;
|
| And what I did is I created this word cloud, and I went through all 1,000 words, and I categorized them into loose thematic categories . |
[15:13] |
|
categorized:adj.分类的;v.分类(categorize的过去式); loose:adj.宽松的; v.释放; v.松散地; n.放纵; thematic:adj.主题的,主旋律的;题目的;语干的; categories:n.(人或事物的)类别,种类(category的复数)
|
| And it was, in some cases, it was kind of difficult to figure out what category they should be in, and then I color-coded them. |
[15:22] |
|
category:n.种类,分类;[数]范畴; color-coded:颜色编码;
|
| So here are some examples of the difficulty. |
[15:30] |
| So justin. |
[15:33] |
| Is that the name of the user, their boyfriend, their son? |
[15:34] |
| Maybe they're a Justin Bieber fan. |
[15:37] |
| Or princess . |
[15:40] |
|
princess:n.王妃;(除女王或王后外的)王室女成员;(尤指)公主;王公贵族夫人;
|
| Is that a nickname ? |
[15:42] |
|
nickname:n.绰号;昵称;v.给…取绰号;叫错名字;
|
| Are they Disney princess fans? |
[15:44] |
|
Disney:n.迪斯尼(美国动画影片制作家及制片人);
|
| Or maybe that's the name of their cat. |
[15:45] |
| Iloveyou appears many times in many different languages. |
[15:49] |
| There's a lot of love in these passwords. |
[15:52] |
| If you look carefully, you'll see there's also some profanity , but it was really interesting to me to see that there's a lot more love than hate in these passwords. |
[15:56] |
|
profanity:n.亵圣:对神灵的亵渎:
|
| And there are animals, a lot of animals, and monkey is the most common animal and the 14th most popular password overall . |
[16:06] |
|
overall:v.全部; n.外套; adj.全面的;
|
| And this was really curious to me, and I wondered, Why are monkeys so popular? |
[16:15] |
| And so in our last password study, any time we detected somebody creating a password with the word monkey in it, we asked them why they had a monkey in their password. |
[16:20] |
|
detected:v.发现;查明;侦察出;(detect的过去分词和过去式)
|
| And what we found out -- we found 17 people so far, I think, who have the word monkey -- |
[16:31] |
| We found out about a third of them said they have a pet named monkey or a friend whose nickname is monkey, and about a third of them said that they just like monkeys and monkeys are really cute. |
[16:36] |
| And that guy is really cute. |
[16:47] |
| So it seems that at the end of the day, when we make passwords, we either make something that's really easy to type, a common pattern, or things that remind us of the word password |
[16:50] |
|
remind:v.提醒;使想起;
|
| or the account that we've created the password for, or whatever. |
[17:03] |
| Or we think about things that make us happy, and we create our password based on things that make us happy. |
[17:09] |
| And while this makes typing and remembering your password more fun, it also makes it a lot easier to guess your password. |
[17:15] |
| So I know a lot of these TED Talks are inspirational and they make you think about nice, happy things, but when you're creating your password, try to think about something else. |
[17:24] |
|
inspirational:adj.鼓舞人心的;带有灵感的,给予灵感的;
|
| Thank you. |
[17:34] |
| (Applause) |
[17:35] |