Lorrie Faith Cranor: What's wrong with your pa$$w0rd?

139,435 views ・ 2014-06-24

TED


Please double-click on the English subtitles below to play the video.

Prevodilac: Jelena Relic Lektor: Ivana Korom
00:12
I am a computer science and engineering professor here at Carnegie Mellon,
0
12535
3445
Ja sam profesor računarskih nauka i inženjeringa na Univerzitetu Karnegi Melon
00:15
and my research focuses on usable privacy and security,
1
15980
4248
a fokus mog istraživanja je upotrebljivost sistema privatnosti i bezbednosti.
00:20
and so my friends like to give me examples
2
20228
2768
I tako moji prijatelji vole da mi daju primere
00:22
of their frustrations with computing systems,
3
22996
2202
svojih frustracija zbog računarskih sistema,
00:25
especially frustrations related to
4
25198
3354
naročito onih koji se odnose
00:28
unusable privacy and security.
5
28552
4112
na neupotrebljive sisteme privatnosti i bezbednosti.
00:32
So passwords are something that I hear a lot about.
6
32664
2711
Tako da su šifre nešto o čemu mnogo slušam.
00:35
A lot of people are frustrated with passwords,
7
35375
2880
Mnoge ljude frustriraju šifre,
00:38
and it's bad enough
8
38255
1694
i već je dovoljno teško
00:39
when you have to have one really good password
9
39949
2644
kada morate da imate jednu stvarno dobru šifru
00:42
that you can remember
10
42593
1822
koju možete zapamtiti
00:44
but nobody else is going to be able to guess.
11
44415
2894
ali koju niko drugi neće moći da pogodi.
00:47
But what do you do when you have accounts
12
47309
1637
Ali šta radite kada imate naloge
00:48
on a hundred different systems
13
48946
1808
na sto različitih sistema
00:50
and you're supposed to have a unique password
14
50754
2276
i trebalo bi da imate jedinstvenu šifru
00:53
for each of these systems?
15
53030
3037
za svaki od tih sistema?
00:56
It's tough.
16
56067
2184
To je teško.
00:58
At Carnegie Mellon, they used to make it
17
58251
1759
Na Karnegi Melonu su nam
01:00
actually pretty easy for us
18
60010
1299
zapravo prilično olakšali
01:01
to remember our passwords.
19
61309
1737
da upamtimo svoje šifre.
01:03
The password requirement up through 2009
20
63046
2403
Uslov za šifru je sve do 2009. godine
01:05
was just that you had to have a password
21
65449
2379
bio samo da morate da imate šifru
01:07
with at least one character.
22
67828
2211
koja sadrži bar jedan karakter.
01:10
Pretty easy. But then they changed things,
23
70039
2888
Prilično lako. Ali onda su promenili stvari
01:12
and at the end of 2009, they announced
24
72927
2670
i krajem 2009. godine su objavili
01:15
that we were going to have a new policy,
25
75597
2376
da ćemo imati novu politiku,
01:17
and this new policy required
26
77973
1863
a ta nova politika je zahtevala
01:19
passwords that were at least eight characters long,
27
79836
2681
šifre koje se sastoje od najmanje osam karaktera,
01:22
with an uppercase letter, lowercase letter,
28
82517
1775
uključujući veliko slovo, malo slovo,
01:24
a digit, a symbol,
29
84292
1288
cifru, simbol,
01:25
you couldn't use the same character more than three times,
30
85580
2638
niste mogli koristiti isti karakter više od tri puta,
01:28
and it wasn't allowed to be in a dictionary.
31
88218
2434
i nisu smele da se pojavljuju reči iz rečnika.
01:30
Now, when they implemented this new policy,
32
90652
2182
Kada su uveli ovu novu politiku,
01:32
a lot of people, my colleagues and friends,
33
92834
2310
mnogi ljudi, moje kolege i prijatelji,
01:35
came up to me and they said, "Wow,
34
95144
1854
prilazili su mi i govorili:
01:36
now that's really unusable.
35
96998
1512
"Hej, ovo je stvarno neupotrebljivo.
01:38
Why are they doing this to us,
36
98510
1193
Zašto nam ovo rade,
01:39
and why didn't you stop them?"
37
99703
1711
i zašto ih nisi sprečila?"
01:41
And I said, "Well, you know what?
38
101414
1356
A ja sam rekla: "Pa znate šta?
01:42
They didn't ask me."
39
102770
1508
Nisu me ni pitali."
01:44
But I got curious, and I decided to go talk
40
104278
3465
Ali bila sam radoznala i odlučila sam da razgovaram
01:47
to the people in charge of our computer systems
41
107743
1937
sa ljudima zaduženim za naše računarske sisteme
01:49
and find out what led them to introduce
42
109680
2831
i da saznam šta ih je navelo da uvedu
01:52
this new policy,
43
112511
1848
ovu novu politiku.
01:54
and they said that the university
44
114359
1584
A oni su rekli da se Univerzitet
01:55
had joined a consortium of universities,
45
115943
2366
priključio udruženju univerziteta,
01:58
and one of the requirements of membership
46
118309
2634
a jedan od zahteva za članstvo
02:00
was that we had to have stronger passwords
47
120943
2248
bio je da moramo imati jače šifre
02:03
that complied with some new requirements,
48
123191
2272
koje ispunjavaju neke nove uslove,
02:05
and these requirements were that our passwords
49
125463
2104
a ti uslovi su bili da naše šifre
02:07
had to have a lot of entropy.
50
127567
1604
moraju imati mnogo entropije.
02:09
Now entropy is a complicated term,
51
129171
2278
Entropija je složen pojam,
02:11
but basically it measures the strength of passwords.
52
131449
2798
ali u suštini ona meri jačinu šifre.
02:14
But the thing is, there isn't actually
53
134247
1979
Ali stvar je u tome da zapravo ne postoji
02:16
a standard measure of entropy.
54
136226
1949
standardna mera entropije.
02:18
Now, the National Institute of Standards and Technology
55
138175
2399
Nacionalni institut za standarde i tehnologiju
02:20
has a set of guidelines
56
140574
1553
ima niz smernica
02:22
which have some rules of thumb
57
142127
2568
koje daju neka opšta načela
02:24
for measuring entropy,
58
144695
1440
za merenje entropije,
02:26
but they don't have anything too specific,
59
146135
2895
ali nemaju ništa previše određeno,
02:29
and the reason they only have rules of thumb
60
149030
2337
a razlog zašto imaju samo opšta načela
02:31
is it turns out they don't actually have any good data
61
151367
3136
je to što oni zapravo nemaju neke kvalitetne podatke
02:34
on passwords.
62
154503
1520
o šiframa.
02:36
In fact, their report states,
63
156023
2312
Zapravo, u njihovom izveštaju stoji:
02:38
"Unfortunately, we do not have much data
64
158335
2328
"Nažalost, nemamo mnogo podataka
02:40
on the passwords users choose under particular rules.
65
160663
2842
o šiframa koje korisnici biraju pod određenim pravilima.
02:43
NIST would like to obtain more data
66
163505
2333
NIST bi želeo da sakupi više podataka
02:45
on the passwords users actually choose,
67
165838
2462
o šiframa koje korisnici zapravo koriste,
02:48
but system administrators are understandably reluctant
68
168300
2463
ali, razume se, administratori sistema
02:50
to reveal password data to others."
69
170763
2940
nerado otkrivaju podatke o šiframa."
02:53
So this is a problem, but our research group
70
173703
3097
Dakle, ovo je problem, ali naša istraživačka grupa
02:56
looked at it as an opportunity.
71
176800
2140
je videla to kao priliku.
02:58
We said, "Well, there's a need for good password data.
72
178940
3100
Rekli smo: "Pa, postoji potreba za kvalitetnim podacima o šiframa.
03:02
Maybe we can collect some good password data
73
182040
2148
Možda možemo da sakupimo neke dobre podatke
03:04
and actually advance the state of the art here.
74
184188
2704
i zapravo poboljšamo trenutno stanje."
03:06
So the first thing we did is,
75
186892
1672
Prva stvar koju smo uradili bila je
03:08
we got a bag of candy bars
76
188564
1556
da smo uzeli kesu bombona
03:10
and we walked around campus
77
190120
1086
i šetali po kampusu,
03:11
and talked to students, faculty and staff,
78
191206
2798
pričali sa studentima, profesorima i zaposlenima,
03:14
and asked them for information
79
194004
1530
i ispitivali ih
03:15
about their passwords.
80
195534
1552
o njihovim šiframa.
03:17
Now we didn't say, "Give us your password."
81
197086
3004
Nismo govorili: "Daj nam svoju šifru."
03:20
No, we just asked them about their password.
82
200090
2661
Ne, mi smo ih samo pitali o njihovim šiframa.
03:22
How long is it? Does it have a digit?
83
202751
1478
Koliko je duga? Da li sadrži cifre? Da li ima simbola?
03:24
Does it have a symbol?
84
204229
1068
03:25
And were you annoyed at having to create
85
205297
2045
I da li vas je iznerviralo to što ste morali
03:27
a new one last week?
86
207342
2744
da napravite novu prošle nedelje?
03:30
So we got results from 470 students,
87
210086
3206
Dobili smo rezultate od 470 studenata,
profesora i zaposlenih,
03:33
faculty and staff,
88
213292
971
03:34
and indeed we confirmed that the new policy
89
214263
2514
i zaista smo potvrdili da je nova politika
03:36
was very annoying,
90
216777
1453
prilično nervirala,
03:38
but we also found that people said
91
218230
1792
ali smo takođe saznali da se ljudi
03:40
they felt more secure with these new passwords.
92
220022
3130
osećaju sigurnije sa ovim novim šiframa.
03:43
We found that most people knew
93
223152
2306
Saznali smo da većina ljudi zna
03:45
they were not supposed to write their password down,
94
225458
2152
da ne treba da zapisuju svoje šifre,
03:47
and only 13 percent of them did,
95
227610
2391
i samo 13% njih jeste zapisalo,
03:50
but disturbingly, 80 percent of people
96
230001
2416
ali uznemiravajuće je to da je 80%
03:52
said they were reusing their password.
97
232417
2124
reklo da ponovo koristi svoju staru šifru.
03:54
Now, this is actually more dangerous
98
234541
1796
To je zapravo opasnije
03:56
than writing your password down,
99
236337
2022
od zapisivanja šifre,
03:58
because it makes you much more susceptible to attackers.
100
238359
3561
jer vas čini mnogo ranjivijim za napade.
04:01
So if you have to, write your passwords down,
101
241920
3118
Tako da ako morate, zapišite šifru,
04:05
but don't reuse them.
102
245038
1799
ali nemojte ponovo koristiti istu.
04:06
We also found some interesting things
103
246837
1751
Takođe smo saznali neke zanimljive stvari
04:08
about the symbols people use in passwords.
104
248588
2961
o simbolima koje ljudi koriste u šiframa.
04:11
So CMU allows 32 possible symbols,
105
251549
2799
Dakle, KMU dozvoljava 32 različita simbola,
04:14
but as you can see, there's only a small number
106
254348
2433
ali kao što vidite, mali je broj
04:16
that most people are using,
107
256781
1802
onih koje većina ljudi koristi
04:18
so we're not actually getting very much strength
108
258583
2941
tako da ne dobijamo mnogo na jačini
04:21
from the symbols in our passwords.
109
261524
2466
od simbola u našim šiframa.
04:23
So this was a really interesting study,
110
263990
2711
Ovo je stvarno bilo interesantno ispitivanje,
04:26
and now we had data from 470 people,
111
266701
2464
i sada smo imali podatke 470 osoba,
04:29
but in the scheme of things,
112
269165
1305
ali u suštini,
04:30
that's really not very much password data,
113
270470
2580
to i nije mnogo podataka o šiframa,
04:33
and so we looked around to see
114
273050
1445
pa smo se osvrnuli unaokolo
04:34
where could we find additional password data?
115
274495
2560
da vidimo gde možemo naći još podataka.
04:37
So it turns out there are a lot of people
116
277055
2176
Ispostavilo se da ima mnogo ljudi
04:39
going around stealing passwords,
117
279231
2202
koji idu unaokolo i kradu šifre,
04:41
and they often go and post these passwords
118
281433
2477
i često objavljuju te šifre
04:43
on the Internet.
119
283910
1337
na internetu.
04:45
So we were able to get access
120
285247
1673
Tako da smo mogli da pristupimo
04:46
to some of these stolen password sets.
121
286920
3970
nekim od ovih nizova ukradenih šifri.
04:50
This is still not really ideal for research, though,
122
290890
2328
Ipak, to baš i nije idealno za istraživanje
04:53
because it's not entirely clear
123
293218
2037
zato što nije potpuno jasno
04:55
where all of these passwords came from,
124
295255
2184
odakle te šifre dolaze
04:57
or exactly what policies were in effect
125
297439
2242
niti kakva su tačno pravila važila
04:59
when people created these passwords.
126
299681
2108
kada su ljudi pravili te šifre.
05:01
So we wanted to find some better source of data.
127
301789
3552
Želeli smo da nađemo bolji izvor podataka.
05:05
So we decided that one thing we could do
128
305341
1634
Odlučili smo da bismo mogli
05:06
is we could do a study and have people
129
306975
2129
da sprovedemo istraživanje za koje će ljudi
05:09
actually create passwords for our study.
130
309104
3240
zapravo specijalno praviti svoje šifre.
05:12
So we used a service called Amazon Mechanical Turk,
131
312344
2821
Koristili smo servis pod imenom Amazon Mechanical Turk,
05:15
and this is a service where you can post
132
315165
2334
a to je servis gde možete objaviti
05:17
a small job online that takes a minute,
133
317499
2304
mali posao za koji treba minut,
05:19
a few minutes, an hour,
134
319803
1500
nekoliko minuta, sat,
05:21
and pay people, a penny, ten cents, a few dollars,
135
321303
2584
i platiti ljudima peni, deset centi, nekoliko dolara
05:23
to do a task for you,
136
323887
1346
da urade zadatak za vas,
05:25
and then you pay them through Amazon.com.
137
325233
2122
a onda im platite preko Amazon.com.
05:27
So we paid people about 50 cents
138
327355
2294
Plaćali smo ljudima oko 50 centi
05:29
to create a password following our rules
139
329649
2596
da naprave šifru poštujući naša pravila
05:32
and answering a survey,
140
332245
1410
i odgovarajući na anketu,
05:33
and then we paid them again to come back
141
333655
2525
a onda im ponovo plaćali da se vrate
05:36
two days later and log in
142
336180
2071
dva dana kasnije i uloguju se
05:38
using their password and answering another survey.
143
338251
2574
koristeći svoju šifru i odgovarajući na još jednu anketu.
05:40
So we did this, and we collected 5,000 passwords,
144
340825
4464
To smo uradili i sakupili 5000 šifri,
05:45
and we gave people a bunch of different policies
145
345289
2695
i davali smo ljudima brdo različitih smernica
05:47
to create passwords with.
146
347984
1508
po kojima da naprave šifru.
05:49
So some people had a pretty easy policy,
147
349492
1910
Neki ljudi su imali jednostavne smernice,
05:51
we call it Basic8,
148
351402
1539
mi to zovemo Basic8,
05:52
and here the only rule was that your password
149
352941
2146
a tu je jedino pravilo bilo da šifra
05:55
had to have at least eight characters.
150
355087
3416
mora da sadrži najmanje osam karaktera.
05:58
Then some people had a much harder policy,
151
358503
2251
Od nekih ljudi se tražilo mnogo više,
06:00
and this was very similar to the CMU policy,
152
360754
2537
veoma slično politici KMU-a,
06:03
that it had to have eight characters
153
363291
1934
da šifra mora imati osam karaktera
06:05
including uppercase, lowercase, digit, symbol,
154
365225
2376
uključujući veliko slovo, malo slovo, cifru, simbol
06:07
and pass a dictionary check.
155
367601
2389
i da prolazi rečničku proveru.
06:09
And one of the other policies we tried,
156
369990
1335
Jedna od politika koju smo probali,
06:11
and there were a whole bunch more,
157
371325
1270
a bilo ih je stvarno mnogo,
06:12
but one of the ones we tried was called Basic16,
158
372595
2240
ali jedna od onih koje smo probali se zove Basic16,
06:14
and the only requirement here
159
374835
2632
a ovde je jedini zahtev bio
06:17
was that your password had to have at least 16 characters.
160
377467
3153
da šifra mora imati najmanje 16 karaktera.
06:20
All right, so now we had 5,000 passwords,
161
380620
2458
Dobro, sada smo imali 5000 šifri
06:23
and so we had much more detailed information.
162
383078
3563
i mnogo detaljnije informacije.
06:26
Again we see that there's only a small number
163
386641
2559
Ponovo vidimo da je samo mali broj
06:29
of symbols that people are actually using
164
389200
1915
simbola koje ljudi zapravo koriste
06:31
in their passwords.
165
391115
1886
u svojim šiframa.
06:33
We also wanted to get an idea of how strong
166
393001
2599
Takođe smo želeli da steknemo uvid
06:35
the passwords were that people were creating,
167
395600
2771
u to koliko su jake šifre koje ljudi prave
06:38
but as you may recall, there isn't a good measure
168
398371
2620
ali, ako se sećate, ne postoji prava mera
06:40
of password strength.
169
400991
1754
za jačinu šifre.
06:42
So what we decided to do was to see
170
402745
2312
Odlučili smo da vidimo
06:45
how long it would take to crack these passwords
171
405057
2370
koliko vremena je potrebno da se provale ove šifre
06:47
using the best cracking tools
172
407427
1414
koristeći najbolje alatke
06:48
that the bad guys are using,
173
408841
1808
koje koriste loši momci
06:50
or that we could find information about
174
410649
2016
ili one o kojima se mogu pronaći neki podaci
06:52
in the research literature.
175
412665
1537
u literaturi.
06:54
So to give you an idea of how bad guys
176
414202
2758
A sada da vam dam uvid u to kako loši momci
06:56
go about cracking passwords,
177
416960
2170
otkrivaju šifre.
06:59
they will steal a password file
178
419130
1951
Oni ukradu datoteku
07:01
that will have all of the passwords
179
421081
2153
koja sadrži sve šifre
07:03
in kind of a scrambled form, called a hash,
180
423234
2889
u nekakvom zbrkanom obliku, zvanom heš,
07:06
and so what they'll do is they'll make a guess
181
426123
2562
a onda zapravo nagađaju
07:08
as to what a password is,
182
428685
1712
šta je od toga šifra,
07:10
run it through a hashing function,
183
430397
1897
provuku je kroz heš funkciju
07:12
and see whether it matches
184
432294
1765
i vide da li odgovara
07:14
the passwords they have on their stolen password list.
185
434059
3950
šiframa koje imaju na svom spisku ukradenih šifri.
07:18
So a dumb attacker will try every password in order.
186
438009
3105
Glup napadač će probati svaku šifru po redu.
07:21
They'll start with AAAAA and move on to AAAAB,
187
441114
3568
Počeće sa AAAAA i preći na AAAAB,
07:24
and this is going to take a really long time
188
444682
2418
i to će trajati veoma dugo
07:27
before they get any passwords
189
447100
1526
pre nego što dobije neku šifru
07:28
that people are really likely to actually have.
190
448626
2697
koju je vrlo verovatno da neko zapravo ima.
07:31
A smart attacker, on the other hand,
191
451323
2183
Pametan napadač, sa druge strane,
07:33
does something much more clever.
192
453506
1386
radi nešto mnogo mudrije.
07:34
They look at the passwords
193
454892
1826
On posmatra šifre
07:36
that are known to be popular
194
456718
1800
za koje se zna da su popularne
07:38
from these stolen password sets,
195
458518
1727
i iz ovih nizova ukradenih
07:40
and they guess those first.
196
460245
1189
prvo nagađa te šifre.
07:41
So they're going to start by guessing "password,"
197
461434
2134
Počeće sa nagađanjem reči "šifra"
07:43
and then they'll guess "I love you," and "monkey,"
198
463568
2751
a onda "volimte" i "majmun"
07:46
and "12345678,"
199
466319
2583
i "12345678"
07:48
because these are the passwords
200
468902
1312
zato što su to šifre
07:50
that are most likely for people to have.
201
470214
1905
koje ljudi najverovatnije imaju.
07:52
In fact, some of you probably have these passwords.
202
472119
3261
Zapravo, neki od vas verovatno imaju ove šifre.
07:57
So what we found
203
477191
1298
Ono što smo otkrili
07:58
by running all of these 5,000 passwords we collected
204
478489
3406
stavljajući svih ovih 5000 šifri koje smo sakupili
08:01
through these tests to see how strong they were,
205
481895
4106
na testove da vidimo koliko su jake
08:06
we found that the long passwords
206
486001
2752
bilo je da su duge šifre
08:08
were actually pretty strong,
207
488753
1280
zapravo prilično jake
08:10
and the complex passwords were pretty strong too.
208
490033
3262
kao i da su složene šifre takođe prilično jake.
08:13
However, when we looked at the survey data,
209
493295
2442
Međutim, kada smo pregledali odgovore u anketama
08:15
we saw that people were really frustrated
210
495737
3024
videli smo da ljude zaista frustriraju
08:18
by the very complex passwords,
211
498761
2339
veoma složene šifre
08:21
and the long passwords were a lot more usable,
212
501100
2630
i da su duge šifre mnogo upotrebljivije,
08:23
and in some cases, they were actually
213
503730
1325
a u nekim slučajevima su zapravo
08:25
even stronger than the complex passwords.
214
505055
2908
čak i snažnije nego složene šifre.
08:27
So this suggests that,
215
507963
1169
Dakle, ovo nam pokazuje
08:29
instead of telling people that they need
216
509132
1703
da umesto da govorimo ljudima da treba
08:30
to put all these symbols and numbers
217
510835
1522
da ubace sve ove simbole i brojeve
08:32
and crazy things into their passwords,
218
512357
2842
i svakakve druge stvari u svoje šifre,
08:35
we might be better off just telling people
219
515199
2022
možda bi bilo bolje samo da im kažemo
08:37
to have long passwords.
220
517221
2652
da imaju duge šifre.
08:39
Now here's the problem, though:
221
519873
1792
Ipak, ovde imamo problem:
08:41
Some people had long passwords
222
521665
2255
neki ljudi su imali duge šifre
08:43
that actually weren't very strong.
223
523920
1555
koje zapravo nisu toliko jake.
08:45
You can make long passwords
224
525475
1997
Možete napraviti duge šifre
08:47
that are still the sort of thing
225
527472
1556
koje su i dalje prilično
08:49
that an attacker could easily guess.
226
529028
1742
laka meta za napadače.
08:50
So we need to do more than just say long passwords.
227
530770
3365
Zato moramo uraditi nešto više nego prosto reći "duge šifre".
08:54
There has to be some additional requirements,
228
534135
1936
Moraju postojati neki dodatni zahtevi,
08:56
and some of our ongoing research is looking at
229
536071
2969
a neka od naših istraživanja koja su u toku
08:59
what additional requirements we should add
230
539040
2439
ispituju koje to zahteve treba da uključimo
09:01
to make for stronger passwords
231
541479
2104
da bismo stvorili snažnije šifre
09:03
that also are going to be easy for people
232
543583
2312
koje će ujedno biti jednostavne
09:05
to remember and type.
233
545895
2698
za pamćenje i kucanje.
09:08
Another approach to getting people to have
234
548593
2126
Još jedan način da navedemo ljude da imaju jače šifre
09:10
stronger passwords is to use a password meter.
235
550719
2257
jeste da koristimo merač jačine.
09:12
Here are some examples.
236
552976
1385
Evo nekih primera.
09:14
You may have seen these on the Internet
237
554361
1401
Možda ste videli ove na internetu
09:15
when you were creating passwords.
238
555762
3057
kada ste pravili svoje šifre.
09:18
We decided to do a study to find out
239
558819
2248
Odlučili smo da sprovedemo istraživanje i saznamo
09:21
whether these password meters actually work.
240
561067
2887
da li ovi merači zapravo rade.
09:23
Do they actually help people
241
563954
1421
Da li zaista pomažu ljudima
09:25
have stronger passwords,
242
565375
1453
da imaju jače šifre
09:26
and if so, which ones are better?
243
566828
2086
i ako je tako, koji od njih su bolji?
09:28
So we tested password meters that were
244
568914
2507
Ispitali smo merače jačine koji su
09:31
different sizes, shapes, colors,
245
571421
2098
različitih dimenzija, oblika, boja,
09:33
different words next to them,
246
573519
1416
koji koriste različite reči,
09:34
and we even tested one that was a dancing bunny.
247
574935
3275
čak i jedan koji je u obliku zeca koji pleše.
09:38
As you type a better password,
248
578210
1582
Što je bolja šifra koju ukucate,
09:39
the bunny dances faster and faster.
249
579792
2539
to zec igra brže.
09:42
So this was pretty fun.
250
582331
2529
Ovo je bilo prilično zabavno.
09:44
What we found
251
584860
1567
Ono što smo otkrili je
09:46
was that password meters do work.
252
586427
3572
da merači jačine šifre funkcionišu.
09:49
(Laughter)
253
589999
1801
(Smeh)
09:51
Most of the password meters were actually effective,
254
591800
3333
Većina merača je zapravo korisna
09:55
and the dancing bunny was very effective too,
255
595133
2521
uključujući i zeca koji igra,
09:57
but the password meters that were the most effective
256
597654
2881
ali merači koji su bili najefikasniji
10:00
were the ones that made you work harder
257
600535
2355
su oni koji vas navode da se pomučite
10:02
before they gave you that thumbs up and said
258
602890
1980
pre nego što vam daju zeleno svetlo
10:04
you were doing a good job,
259
604870
1377
i kažu da ste na dobrom putu.
10:06
and in fact we found that most
260
606247
1512
Zapravo, otkrili smo da je većina
10:07
of the password meters on the Internet today
261
607759
2281
merača jačine na internetu
trenutno previše blaga.
10:10
are too soft.
262
610040
952
10:10
They tell you you're doing a good job too early,
263
610992
2203
Prerano vam kažu da ste dobro obavili posao,
10:13
and if they would just wait a little bit
264
613195
1929
a kada bi samo malo pričekali
10:15
before giving you that positive feedback,
265
615124
2049
pre nego što vam daju taj pozitivan komentar,
10:17
you probably would have better passwords.
266
617173
3160
verovatno biste imali bolje šifre.
10:20
Now another approach to better passwords, perhaps,
267
620333
3847
Drugi pristup pravljenju boljih šifri je možda
10:24
is to use pass phrases instead of passwords.
268
624180
2890
upotreba šifri u obliku fraze umesto reči.
10:27
So this was an xkcd cartoon from a couple of years ago,
269
627070
3418
Ovo je xkcd internet-strip od pre par godina
10:30
and the cartoonist suggests
270
630488
1674
i autor predlaže
10:32
that we should all use pass phrases,
271
632162
2196
da svi koristimo šifre u obliku fraze
10:34
and if you look at the second row of this cartoon,
272
634358
3170
i ako pogledate drugi red ovog stripa,
10:37
you can see the cartoonist is suggesting
273
637528
1857
možete videti da autor predstavlja
10:39
that the pass phrase "correct horse battery staple"
274
639385
3441
frazu "tačno konj baterijska spajalica"
10:42
would be a very strong pass phrase
275
642826
2481
kao frazu koja bi bila veoma jaka šifra.
10:45
and something really easy to remember.
276
645307
1916
i nešto što je jednostavno zapamtiti.
10:47
He says, in fact, you've already remembered it.
277
647223
2797
On kaže da ste je zapravo već zapamtili.
10:50
And so we decided to do a research study
278
650020
2150
Tako smo odlučili da sprovedemo istraživanje
10:52
to find out whether this was true or not.
279
652170
2592
da bismo otkrili da li je ovo tačno.
10:54
In fact, everybody who I talk to,
280
654762
1775
Zapravo, svako sa kim sam razgovarala,
10:56
who I mention I'm doing password research,
281
656537
2042
i kome sam pomenula da radim istraživanje o šiframa
10:58
they point out this cartoon.
282
658579
1400
mi je ukazao na taj strip.
10:59
"Oh, have you seen it? That xkcd.
283
659979
1574
"O, jesi li videla taj strip?
11:01
Correct horse battery staple."
284
661553
1602
Tačno konj baterijska spajalica".
11:03
So we did the research study to see
285
663155
1806
Sproveli smo istraživanje da vidimo
11:04
what would actually happen.
286
664961
2359
šta bi se zaista dogodilo.
11:07
So in our study, we used Mechanical Turk again,
287
667320
3060
Za naše istraživanje smo opet koristili Mechanical Turk,
11:10
and we had the computer pick the random words
288
670380
4167
a računar je nasumično birao reči
za šifru-frazu.
11:14
in the pass phrase.
289
674547
1100
11:15
Now the reason we did this
290
675647
1153
Razlog zašto smo tako uradili
11:16
is that humans are not very good
291
676800
1586
je taj što ljudi nisu baš dobri
11:18
at picking random words.
292
678386
1384
u nasumičnom biranju reči.
11:19
If we asked a human to do it,
293
679770
1262
Kada bi to radio čovek
11:21
they would pick things that were not very random.
294
681032
2998
izabrao bi stvari koje nisu baš nasumične.
11:24
So we tried a few different conditions.
295
684030
2032
Isprobali smo par različitih situacija.
11:26
In one condition, the computer picked
296
686062
2090
U jednoj od njih, računar je birao
11:28
from a dictionary of the very common words
297
688152
2216
iz rečnika veoma čestih reči
11:30
in the English language,
298
690368
1362
u engleskom jeziku,
11:31
and so you'd get pass phrases like
299
691730
1764
pa smo dobijali fraze tipa
11:33
"try there three come."
300
693494
1924
"probati tamo tri doći".
11:35
And we looked at that, and we said,
301
695418
1732
Posmatrali smo to i rekli:
11:37
"Well, that doesn't really seem very memorable."
302
697150
3050
"Pa, to i ne deluje baš tako lako za pamćenje."
11:40
So then we tried picking words
303
700200
2240
Pa smo onda probali da biramo reči
11:42
that came from specific parts of speech,
304
702440
2521
na osnovu vrste reči
11:44
so how about noun-verb-adjective-noun.
305
704961
2182
kao recimo, imenica-glagol-pridev-imenica.
11:47
That comes up with something that's sort of sentence-like.
306
707143
2577
To se čini kao nešto slično rečenici.
11:49
So you can get a pass phrase like
307
709720
2070
Tako da možete dobiti frazu kao na primer,
11:51
"plan builds sure power"
308
711790
1308
"plan gradi sigurnu moć"
11:53
or "end determines red drug."
309
713098
2786
ili "kraj određuje crvenu drogu".
11:55
And these seemed a little bit more memorable,
310
715884
2676
Ove su se činile malo lakše za pamćenje
11:58
and maybe people would like those a little bit better.
311
718560
2822
i možda bi se ljudima malo više svidele.
12:01
We wanted to compare them with passwords,
312
721382
2572
Hteli smo da ih uporedimo sa običnim šiframa,
12:03
and so we had the computer pick random passwords,
313
723954
3196
pa smo pomoću računara nasumično birali reči
koje su bile fine i kratke, ali kao što možete videti,
12:07
and these were nice and short, but as you can see,
314
727150
1990
12:09
they don't really look very memorable.
315
729140
2806
ne deluju baš lake za pamćenje.
12:11
And then we decided to try something called
316
731946
1396
Onda smo odlučili da probamo
12:13
a pronounceable password.
317
733342
1646
šifre koje se mogu izgovoriti.
12:14
So here the computer picks random syllables
318
734988
2245
Ovde računar bira nasumične slogove
12:17
and puts them together
319
737233
1134
i spaja ih tako
12:18
so you have something sort of pronounceable,
320
738367
2475
da se dobije nešto što je moguće izgovoriti
12:20
like "tufritvi" and "vadasabi."
321
740842
2602
kao na primer "tuftitvi" i "vadasabi".
12:23
That one kind of rolls off your tongue.
322
743444
2147
Ovu je prilično lako izgovoriti.
12:25
So these were random passwords that were
323
745591
2216
To su bile nasumične reči
12:27
generated by our computer.
324
747807
2744
koje je sastavio naš računar.
12:30
So what we found in this study was that, surprisingly,
325
750551
2978
Iznenađujuće, ono što smo otkrili u ovom istraživanju bilo je
12:33
pass phrases were not actually all that good.
326
753529
3768
da fraze i nisu toliko dobre kao šifre.
12:37
People were not really better at remembering
327
757297
2793
Ljudi zapravo nisu bolje pamtili
12:40
the pass phrases than these random passwords,
328
760090
2953
fraze od ovih nasumičnih reči,
12:43
and because the pass phrases are longer,
329
763043
2754
a pošto su fraze duže,
12:45
they took longer to type
330
765797
1226
treba više vremena da se ukucaju
12:47
and people made more errors while typing them in.
331
767023
3010
i ljudi su pravili više grešaka dok su ih kucali.
12:50
So it's not really a clear win for pass phrases.
332
770033
3227
Dakle, fraze i nisu baš najbolje kao šifre.
12:53
Sorry, all of you xkcd fans.
333
773260
3345
Žao mi je, svi vi fanovi onog xkcd stripa.
12:56
On the other hand, we did find
334
776605
1892
Sa druge strane, otkrili smo
12:58
that pronounceable passwords
335
778497
1804
da su šifre koje je moguće izgovoriti
13:00
worked surprisingly well,
336
780301
1471
iznenađujuće dobro funkcionisale,
13:01
and so we actually are doing some more research
337
781772
2418
pa zapravo radimo još neka istraživanja
13:04
to see if we can make that approach work even better.
338
784190
3195
da vidimo da li možemo da učinimo taj pristup još efikasnijim.
13:07
So one of the problems
339
787385
1812
Jedan od problema
u nekim od istraživanja koja smo sproveli
13:09
with some of the studies that we've done
340
789197
1623
13:10
is that because they're all done
341
790820
1683
je da zato što su sva sprovedena
13:12
using Mechanical Turk,
342
792503
1590
koristeći Mechanical Turk,
13:14
these are not people's real passwords.
343
794093
1812
ovo nisu prave šifre ljudi.
13:15
They're the passwords that they created
344
795905
2105
To su šifre koje su ljudi napravili
ili ih je umesto njih napravio računar za naše istraživanje.
13:18
or the computer created for them for our study.
345
798010
2495
13:20
And we wanted to know whether people
346
800505
1568
A nas je zanimalo da li bi se ljudi
13:22
would actually behave the same way
347
802073
2312
zaista ponašali na isti način
13:24
with their real passwords.
348
804385
2227
i kada se radi o njihovim pravim šiframa.
13:26
So we talked to the information security office at Carnegie Mellon
349
806612
3681
Razgovarali smo sa službom za bezbednost podataka na Karnegi Melonu
13:30
and asked them if we could have everybody's real passwords.
350
810293
3803
i pitali ih da li bismo mogli da dobijemo svačiju pravu šifru.
13:34
Not surprisingly, they were a little bit reluctant
351
814096
1754
Očekivano, nisu baš bili voljni
13:35
to share them with us,
352
815850
1550
da ih podele sa nama,
13:37
but we were actually able to work out
353
817400
1810
ali smo uspeli da smislimo
sistem da sarađujemo sa njima
13:39
a system with them
354
819210
1040
13:40
where they put all of the real passwords
355
820250
2109
po kom su oni stavili sve prave šifre
13:42
for 25,000 CMU students, faculty and staff,
356
822359
3091
25000 studenata, profesora i zaposlenih
13:45
into a locked computer in a locked room,
357
825450
2448
u zaključan računar u zaključanoj prostoriji
13:47
not connected to the Internet,
358
827898
1394
bez pristupa internetu
13:49
and they ran code on it that we wrote
359
829292
1848
i pokrenuli su kod koji smo mi napisali
13:51
to analyze these passwords.
360
831140
2152
kako bismo analizirali te šifre.
13:53
They audited our code.
361
833292
1326
Oni su kontrolisali naš kod.
13:54
They ran the code.
362
834618
1312
Oni su pokretali kod.
13:55
And so we never actually saw
363
835930
1738
Tako da mi zapravo
13:57
anybody's password.
364
837668
2817
nismo videli ničiju šifru.
14:00
We got some interesting results,
365
840485
1515
Dobili smo zanimljive rezultate,
14:02
and those of you Tepper students in the back
366
842000
1696
a vas studente poslovnih studija tamo pozadi
14:03
will be very interested in this.
367
843696
2875
će ovo posebno zanimati.
14:06
So we found that the passwords created
368
846571
3731
Otkrili smo da su šifre koje su napravili ljudi
14:10
by people affiliated with the school of computer science
369
850302
2158
povezani sa studijama računarstva
14:12
were actually 1.8 times stronger
370
852460
2324
bile zapravo 1,8 puta snažnije
14:14
than those affiliated with the business school.
371
854784
3738
nego one koje su pravili ljudi sa poslovnih studija.
14:18
We have lots of other really interesting
372
858522
2040
Imamo i mnogo drugih zaista interesantnih
14:20
demographic information as well.
373
860562
2238
demografskih podataka.
14:22
The other interesting thing that we found
374
862800
1846
Druga zanimljiva stvar koju smo otkrili
14:24
is that when we compared the Carnegie Mellon passwords
375
864646
2440
je da kada uporedimo šifre sa Karnegi Melona
14:27
to the Mechanical Turk-generated passwords,
376
867086
2283
sa šiframa koje smo sakupili na Mechanical Turku
14:29
there was actually a lot of similarities,
377
869369
2619
zapravo primetimo dosta sličnosti,
14:31
and so this helped validate our research method
378
871988
1948
što nam je pomoglo da utvrdimo valjanost naše metode
14:33
and show that actually, collecting passwords
379
873936
2510
i pokazalo da je sakupljanje šifri
14:36
using these Mechanical Turk studies
380
876446
1808
pomoću Mechanical Turk-a
14:38
is actually a valid way to study passwords.
381
878254
2788
zapravo valjan način proučavanja šifri.
14:41
So that was good news.
382
881042
2285
To su dobre vesti.
14:43
Okay, I want to close by talking about
383
883327
2414
U redu, želim da završim pričajući
14:45
some insights I gained while on sabbatical
384
885741
2068
o nekim uvidima koje sam stekla prošle godine
14:47
last year in the Carnegie Mellon art school.
385
887809
3201
dok sam bila na odsustvu u Karnegi Melon umetničkoj akademiji.
14:51
One of the things that I did
386
891010
1281
Između ostalog,
14:52
is I made a number of quilts,
387
892291
1524
napravila sam brojne "tapiserije"
14:53
and I made this quilt here.
388
893815
1548
i napravila sam ovu ovde.
14:55
It's called "Security Blanket."
389
895363
1899
Zove se "Ćilim sigurnosti".
14:57
(Laughter)
390
897262
2431
(Smeh)
14:59
And this quilt has the 1,000
391
899693
3095
A u sebi sadrži 1000
15:02
most frequent passwords stolen
392
902788
2328
najčešće ukradenih šifri
15:05
from the RockYou website.
393
905116
2571
sa internet sajta RockYou.
15:07
And the size of the passwords is proportional
394
907687
2061
Veličina šifre je proporcionalna
15:09
to how frequently they appeared
395
909748
1901
tome koliko su se često pojavljivale
15:11
in the stolen dataset.
396
911649
2248
među ukradenim podacima.
15:13
And what I did is I created this word cloud,
397
913897
2632
A ja sam napravila ovaj "oblak reči"
15:16
and I went through all 1,000 words,
398
916529
2132
i pregledala svih 1000 reči
15:18
and I categorized them into
399
918661
1795
pa ih svrstala
15:20
loose thematic categories.
400
920456
2380
u opštije tematske celine.
15:22
And it was, in some cases,
401
922836
1903
U nekim slučajevima je bilo
15:24
it was kind of difficult to figure out
402
924739
2038
prilično teško odlučiti
15:26
what category they should be in,
403
926777
1755
kojoj kategoriji treba da pripadaju
15:28
and then I color-coded them.
404
928532
1899
pa sam ih onda obeležila po bojama.
15:30
So here are some examples of the difficulty.
405
930431
2619
Evo nekih takvih primera.
15:33
So "justin."
406
933050
1181
Recimo, "džastin".
15:34
Is that the name of the user,
407
934231
1829
Da li je to ime korisnika,
15:36
their boyfriend, their son?
408
936060
1322
njihovog dečka, sina?
15:37
Maybe they're a Justin Bieber fan.
409
937382
2888
Možda su samo fanovi Džastina Bibera.
15:40
Or "princess."
410
940270
2225
Ili "princeza".
15:42
Is that a nickname?
411
942495
1635
Da li je to nadimak?
15:44
Are they Disney princess fans?
412
944130
1595
Da li vole Dizni princeze?
15:45
Or maybe that's the name of their cat.
413
945725
3694
Ili je to možda ime njihove mačke.
15:49
"Iloveyou" appears many times
414
949419
1655
"Volimte" se pojavljuje mnogo puta
15:51
in many different languages.
415
951074
1545
na mnogo različitih jezika.
15:52
There's a lot of love in these passwords.
416
952619
3735
Ima mnogo ljubavi u ovim šiframa.
Ako pogledate pažljivo, videćete da ima takođe
15:56
If you look carefully, you'll see there's also
417
956354
1680
15:58
some profanity,
418
958034
2267
i nekih vulgarnosti
16:00
but it was really interesting to me to see
419
960301
1950
ali mi je bilo stvarno zanimljivo to
16:02
that there's a lot more love than hate
420
962251
2307
što ima mnogo više ljubavi nego mržnje
16:04
in these passwords.
421
964558
2292
u ovim šiframa.
16:06
And there are animals,
422
966850
1490
I ima životinja,
16:08
a lot of animals,
423
968340
1360
mnogo životinja,
16:09
and "monkey" is the most common animal
424
969700
2304
a majmun je najčešća životinja
16:12
and the 14th most popular password overall.
425
972004
3675
i uopšteno 14. šifra po popularnosti.
16:15
And this was really curious to me,
426
975679
2231
Ovo mi je bilo veoma neobično
16:17
and I wondered, "Why are monkeys so popular?"
427
977910
2523
i upitala sam se: "Zašto su majmuni toliko popularni?"
16:20
And so in our last password study,
428
980433
3352
U našem poslednjem istraživanju o šiframa,
16:23
any time we detected somebody
429
983785
1686
kad god bismo naišli na nekog
16:25
creating a password with the word "monkey" in it,
430
985471
2649
ko pravi šifru koja sadrži reč "majmun",
16:28
we asked them why they had a monkey in their password.
431
988120
3030
pitali smo ga zašto ubacuje reč "majmun" u svoju šifru.
16:31
And what we found out --
432
991150
1910
Ono što smo saznali,
16:33
we found 17 people so far, I think,
433
993060
2103
a našli smo, ja mislim, 17 ljudi do sada
16:35
who have the word "monkey" --
434
995163
1283
koji imaju reč "majmun",
16:36
We found out about a third of them said
435
996446
1812
bilo je da je oko trećina njih rekla
16:38
they have a pet named "monkey"
436
998258
1740
da imaju ljubimca koji se zove "majmun"
16:39
or a friend whose nickname is "monkey,"
437
999998
2291
ili prijatelja čiji je nadimak "majmun",
16:42
and about a third of them said
438
1002289
1660
a otprilike trećina ljudi je rekla
16:43
that they just like monkeys
439
1003949
1533
da jednostavno vole majmune
16:45
and monkeys are really cute.
440
1005482
1638
i da su majmuni jako slatki.
16:47
And that guy is really cute.
441
1007120
3639
I ovaj mališa je stvarno sladak.
16:50
So it seems that at the end of the day,
442
1010759
3408
Na kraju krajeva, čini se
16:54
when we make passwords,
443
1014167
1783
da kada pravimo šifre,
16:55
we either make something that's really easy
444
1015950
1974
napravimo ili nešto što je
16:57
to type, a common pattern,
445
1017924
3009
veoma lako za iskucati, nešto uobičajeno,
17:00
or things that remind us of the word password
446
1020933
2486
ili stvari koje nas podsećaju na reč "šifra"
17:03
or the account that we've created the password for,
447
1023419
3312
ili na nalog za koji smo napravili šifru
17:06
or whatever.
448
1026731
2617
ili šta god.
17:09
Or we think about things that make us happy,
449
1029348
2642
Ili možda pomislimo na stvari koje nas čine srećnim
17:11
and we create our password
450
1031990
1304
i pravimo svoju šifru
17:13
based on things that make us happy.
451
1033294
2238
na osnovu stvari koje nas čine srećnim.
17:15
And while this makes typing
452
1035532
2863
I dok ovo čini kucanje
17:18
and remembering your password more fun,
453
1038395
2870
i pamćenje vaše šifre zabavnijim,
17:21
it also makes it a lot easier
454
1041265
1807
ujedno čini šifru i mnogo lakšom
17:23
to guess your password.
455
1043072
1506
za pogađanje.
17:24
So I know a lot of these TED Talks
456
1044578
1748
Znam da su mnogi od ovih TED govora
17:26
are inspirational
457
1046326
1634
nadahnjujući
17:27
and they make you think about nice, happy things,
458
1047960
2461
i čine da mislite o lepim stvarima,
17:30
but when you're creating your password,
459
1050421
1897
ali kada pravite svoju šifru
17:32
try to think about something else.
460
1052318
1991
probajte da razmišljate o nečemu drugom.
17:34
Thank you.
461
1054309
1107
Hvala. (Aplauz)
17:35
(Applause)
462
1055416
553
About this website

This site will introduce you to YouTube videos that are useful for learning English. You will see English lessons taught by top-notch teachers from around the world. Double-click on the English subtitles displayed on each video page to play the video from there. The subtitles scroll in sync with the video playback. If you have any comments or requests, please contact us using this contact form.

https://forms.gle/WvT1wiN1qDtmnspy7