Lorrie Faith Cranor: What's wrong with your pa$$w0rd?

139,691 views ・ 2014-06-24

TED


请双击下面的英文字幕来播放视频。

翻译人员: FBC GLOBAL 校对人员: XINHUI WANG
00:12
I am a computer science and engineering professor here at Carnegie Mellon,
0
12535
3445
我是卡内基梅隆大学计算机科学与工程专业的教授,
00:15
and my research focuses on usable privacy and security,
1
15980
4248
我的研究兴趣是隐私与安全保护。
00:20
and so my friends like to give me examples
2
20228
2768
因此,我那些朋友喜欢跟我吐槽,
00:22
of their frustrations with computing systems,
3
22996
2202
说他们使用计算机时受到的种种挫折,
00:25
especially frustrations related to
4
25198
3354
特别是
跟不可用隐私和安全有关的挫折
00:28
unusable privacy and security.
5
28552
4112
00:32
So passwords are something that I hear a lot about.
6
32664
2711
密码就是我经常听到抱怨的一个问题
00:35
A lot of people are frustrated with passwords,
7
35375
2880
很多人因为密码的问题感到沮丧
00:38
and it's bad enough
8
38255
1694
00:39
when you have to have one really good password
9
39949
2644
这真的很令人头疼
当你不得不有一个很好的密码
00:42
that you can remember
10
42593
1822
一个你自己可以记住
00:44
but nobody else is going to be able to guess.
11
44415
2894
但是其他人都猜不到的密码
00:47
But what do you do when you have accounts
12
47309
1637
但你会怎么做呢?
00:48
on a hundred different systems
13
48946
1808
当你在一百个不同的系统里有不同的账户
00:50
and you're supposed to have a unique password
14
50754
2276
你是不是
该给每个系统都设立一个独立的密码呢?
00:53
for each of these systems?
15
53030
3037
00:56
It's tough.
16
56067
2184
这是非常困难的
00:58
At Carnegie Mellon, they used to make it
17
58251
1759
在卡内基梅隆,
01:00
actually pretty easy for us
18
60010
1299
曾经对于我们来说很容易
01:01
to remember our passwords.
19
61309
1737
去记住我们的密码
01:03
The password requirement up through 2009
20
63046
2403
在2009年以前,对于密码的要求
01:05
was just that you had to have a password
21
65449
2379
仅仅是你的密码中
01:07
with at least one character.
22
67828
2211
最少需要一个字母
非常容易,但是他们改变了规则
01:10
Pretty easy. But then they changed things,
23
70039
2888
01:12
and at the end of 2009, they announced
24
72927
2670
在2009年末,他们宣布
01:15
that we were going to have a new policy,
25
75597
2376
我们将会有新的规则
01:17
and this new policy required
26
77973
1863
这个新的规则要求
01:19
passwords that were at least eight characters long,
27
79836
2681
密码至少有8位数长
01:22
with an uppercase letter, lowercase letter,
28
82517
1775
至少有一个大写字母,一个小写字母
01:24
a digit, a symbol,
29
84292
1288
一个数字,一个符号
01:25
you couldn't use the same character more than three times,
30
85580
2638
你不能用重复使用同一个字符三次
01:28
and it wasn't allowed to be in a dictionary.
31
88218
2434
并且密码不能是字典里的一个单词
01:30
Now, when they implemented this new policy,
32
90652
2182
现在,当这个新的规则被使用后
01:32
a lot of people, my colleagues and friends,
33
92834
2310
很多人,我的同学,朋友,都跑来找我
01:35
came up to me and they said, "Wow,
34
95144
1854
01:36
now that's really unusable.
35
96998
1512
他们说:“天哪“
”这个新的规则真的很难被使用“
01:38
Why are they doing this to us,
36
98510
1193
01:39
and why didn't you stop them?"
37
99703
1711
“他们为什么要对我们这么做”
“你为什么不阻止他们呢?”
01:41
And I said, "Well, you know what?
38
101414
1356
01:42
They didn't ask me."
39
102770
1508
我说:“你知道吗”
”他们做出这些调整的时候并没有问我“
01:44
But I got curious, and I decided to go talk
40
104278
3465
但是我对此产生了兴趣
01:47
to the people in charge of our computer systems
41
107743
1937
所以我决定去找掌管我们计算机系统的同事聊聊
01:49
and find out what led them to introduce
42
109680
2831
并且知道了他们为什么要引进
01:52
this new policy,
43
112511
1848
这个新的规则
01:54
and they said that the university
44
114359
1584
他们说我们学校
01:55
had joined a consortium of universities,
45
115943
2366
加入了一个大学联盟
01:58
and one of the requirements of membership
46
118309
2634
加入这个大学联盟的一个要求
02:00
was that we had to have stronger passwords
47
120943
2248
就是我们要有更安全的密码
02:03
that complied with some new requirements,
48
123191
2272
这个密码需要符合最新的要求
02:05
and these requirements were that our passwords
49
125463
2104
而这个最新的标准就是
02:07
had to have a lot of entropy.
50
127567
1604
我们的密码需要是一个无序的组合
02:09
Now entropy is a complicated term,
51
129171
2278
无序状态是一个很复杂的名词
02:11
but basically it measures the strength of passwords.
52
131449
2798
但是基本上来说,他是用来衡量密码安全性的标准
02:14
But the thing is, there isn't actually
53
134247
1979
但是问题是
并没有一个标准的方法来测量无序性
02:16
a standard measure of entropy.
54
136226
1949
02:18
Now, the National Institute of Standards and Technology
55
138175
2399
现在,国家标准技术局
02:20
has a set of guidelines
56
140574
1553
有一系列的标准
02:22
which have some rules of thumb
57
142127
2568
这些标准中有一些粗略的方法
02:24
for measuring entropy,
58
144695
1440
用来测量无序性
02:26
but they don't have anything too specific,
59
146135
2895
但是他们并没有很详细的方法
02:29
and the reason they only have rules of thumb
60
149030
2337
他们只有粗略的方法的原因是
02:31
is it turns out they don't actually have any good data
61
151367
3136
他们事实上并没有很多好的的数据
02:34
on passwords.
62
154503
1520
来研究密码
02:36
In fact, their report states,
63
156023
2312
事实上,他们在工作报告中说
02:38
"Unfortunately, we do not have much data
64
158335
2328
”很不幸的是,我们并没有很多关于
02:40
on the passwords users choose under particular rules.
65
160663
2842
用户在一种规则下如何选择密码的数据“
02:43
NIST would like to obtain more data
66
163505
2333
02:45
on the passwords users actually choose,
67
165838
2462
国家标准技术局想要获得更多
关于用户如何选择密码的数据
02:48
but system administrators are understandably reluctant
68
168300
2463
但是系统管理员合情合理的拒绝
02:50
to reveal password data to others."
69
170763
2940
把密码信息透露给其他人
02:53
So this is a problem, but our research group
70
173703
3097
所以这是一个问题
02:56
looked at it as an opportunity.
71
176800
2140
但我们的研究小组认为这是一个机会
02:58
We said, "Well, there's a need for good password data.
72
178940
3100
我们认为:”这表明很需要有一个好的密码数据库。”
03:02
Maybe we can collect some good password data
73
182040
2148
也许我们可以收集一些好的密码数据
03:04
and actually advance the state of the art here.
74
184188
2704
并且推进这方面的研究
03:06
So the first thing we did is,
75
186892
1672
因此,我们要做的第一件事是:
03:08
we got a bag of candy bars
76
188564
1556
我们买了一袋糖
03:10
and we walked around campus
77
190120
1086
走在校园里
03:11
and talked to students, faculty and staff,
78
191206
2798
并且跟同学,教师,员工对话
03:14
and asked them for information
79
194004
1530
所要他们
03:15
about their passwords.
80
195534
1552
密码的信息
03:17
Now we didn't say, "Give us your password."
81
197086
3004
我们并没有说:“把你的密码给我们吧”
03:20
No, we just asked them about their password.
82
200090
2661
我们只是问关于他们密码的信息
03:22
How long is it? Does it have a digit?
83
202751
1478
密码有多长?包含有数字吗?
03:24
Does it have a symbol?
84
204229
1068
有符号吗?
03:25
And were you annoyed at having to create
85
205297
2045
你有没有感到恼怒?
03:27
a new one last week?
86
207342
2744
因为上周要重新拟定一个密码
03:30
So we got results from 470 students,
87
210086
3206
我们得到了结果从470个学生
03:33
faculty and staff,
88
213292
971
老师跟员工
03:34
and indeed we confirmed that the new policy
89
214263
2514
事实上我们证实了这个新的规则
03:36
was very annoying,
90
216777
1453
很让人讨厌
03:38
but we also found that people said
91
218230
1792
但与此同时,人们也表示
03:40
they felt more secure with these new passwords.
92
220022
3130
这个这个新的密码更加的安全
03:43
We found that most people knew
93
223152
2306
我们发现大部分人知道
03:45
they were not supposed to write their password down,
94
225458
2152
他们不应该把他们的密码写下来
03:47
and only 13 percent of them did,
95
227610
2391
并且只有13%的人会把密码写下来
03:50
but disturbingly, 80 percent of people
96
230001
2416
但是与之矛盾的是
有80%的人会重复使用同一个密码
03:52
said they were reusing their password.
97
232417
2124
03:54
Now, this is actually more dangerous
98
234541
1796
这事实上
比把密码记下来更加的危险
03:56
than writing your password down,
99
236337
2022
03:58
because it makes you much more susceptible to attackers.
100
238359
3561
因为这让你更容易被黑客攻击
04:01
So if you have to, write your passwords down,
101
241920
3118
如果没有别的选择,那么请把你的密码记下来
04:05
but don't reuse them.
102
245038
1799
而不要重读使用一个密码
04:06
We also found some interesting things
103
246837
1751
我们还有一些很有趣的发现
04:08
about the symbols people use in passwords.
104
248588
2961
这些发现跟人们在密码中使用符号有关
04:11
So CMU allows 32 possible symbols,
105
251549
2799
卡内基梅隆大学允许使用32个符号,
04:14
but as you can see, there's only a small number
106
254348
2433
但事实上只有少数几个符号
04:16
that most people are using,
107
256781
1802
被大多数人使用
04:18
so we're not actually getting very much strength
108
258583
2941
因此,事实上
使用符号并没有让我们的密码变得更加安全
04:21
from the symbols in our passwords.
109
261524
2466
04:23
So this was a really interesting study,
110
263990
2711
因此,这真的是一项很有趣的研究
04:26
and now we had data from 470 people,
111
266701
2464
现在,我们已经有从470个人那里拿到的数据
04:29
but in the scheme of things,
112
269165
1305
但整体来说
04:30
that's really not very much password data,
113
270470
2580
这些数据并不是确切的密码的数据
04:33
and so we looked around to see
114
273050
1445
因此我们还得通过其他方式
04:34
where could we find additional password data?
115
274495
2560
来获取更多的密码数据
04:37
So it turns out there are a lot of people
116
277055
2176
生活中有很多人
04:39
going around stealing passwords,
117
279231
2202
窃取他人的密码
04:41
and they often go and post these passwords
118
281433
2477
他们经常会把这些密码公布
04:43
on the Internet.
119
283910
1337
在网上
04:45
So we were able to get access
120
285247
1673
因此,我们可以获得一些
04:46
to some of these stolen password sets.
121
286920
3970
这种偷来的密码
04:50
This is still not really ideal for research, though,
122
290890
2328
这些数据对于我们的研究来书还不是很完美
04:53
because it's not entirely clear
123
293218
2037
因为我们并不知道
04:55
where all of these passwords came from,
124
295255
2184
这些密码的来源
04:57
or exactly what policies were in effect
125
297439
2242
以及这些密码是在什么样的规则下
04:59
when people created these passwords.
126
299681
2108
制定出来的
05:01
So we wanted to find some better source of data.
127
301789
3552
因此我们需要找到一些更好的数据来源
05:05
So we decided that one thing we could do
128
305341
1634
所以我们觉得我们可以做的是
05:06
is we could do a study and have people
129
306975
2129
我们可以做一个研究
并且让人们为我们的实验设置密码
05:09
actually create passwords for our study.
130
309104
3240
05:12
So we used a service called Amazon Mechanical Turk,
131
312344
2821
所以我们就通过使用一个叫做亚马逊机器土耳其人的服务
05:15
and this is a service where you can post
132
315165
2334
这个服务可以让你在网上公布一些小任务,
05:17
a small job online that takes a minute,
133
317499
2304
05:19
a few minutes, an hour,
134
319803
1500
这些任务可能好使一分钟
几分钟,一个小时
05:21
and pay people, a penny, ten cents, a few dollars,
135
321303
2584
我们支付人们一美分,几美分,几美元
05:23
to do a task for you,
136
323887
1346
来帮助我们完成任务
05:25
and then you pay them through Amazon.com.
137
325233
2122
之后你可以通过亚马逊来支付这些参与者
05:27
So we paid people about 50 cents
138
327355
2294
我们付大约50美分让
05:29
to create a password following our rules
139
329649
2596
参与者在我们的规则下制定密码
05:32
and answering a survey,
140
332245
1410
并且完成调查问卷
05:33
and then we paid them again to come back
141
333655
2525
然后当我们会支付他们第二笔钱
05:36
two days later and log in
142
336180
2071
当他们两天后
用这个密码登录并完成另一份调查问卷
05:38
using their password and answering another survey.
143
338251
2574
05:40
So we did this, and we collected 5,000 passwords,
144
340825
4464
我们通过这种方式拿到了5000个密码
05:45
and we gave people a bunch of different policies
145
345289
2695
我们给人么不同的规则
05:47
to create passwords with.
146
347984
1508
来制定密码
05:49
So some people had a pretty easy policy,
147
349492
1910
一些人的规则比较简单
05:51
we call it Basic8,
148
351402
1539
05:52
and here the only rule was that your password
149
352941
2146
我们称它为基础8
只有一个规则,就是你的密码
05:55
had to have at least eight characters.
150
355087
3416
必须包含8个字符
05:58
Then some people had a much harder policy,
151
358503
2251
有些人则会有更难的规则
06:00
and this was very similar to the CMU policy,
152
360754
2537
这些规则跟卡内基梅隆大学的规则跟相似
06:03
that it had to have eight characters
153
363291
1934
密码必须由八位数组成
06:05
including uppercase, lowercase, digit, symbol,
154
365225
2376
包含有大写字母,小写字母,数字跟符号
06:07
and pass a dictionary check.
155
367601
2389
并且可以通过字典检查
06:09
And one of the other policies we tried,
156
369990
1335
我们也试了另外一种规则
06:11
and there were a whole bunch more,
157
371325
1270
06:12
but one of the ones we tried was called Basic16,
158
372595
2240
以及许多别的规则
其中有一种规则我们称之为基础16
06:14
and the only requirement here
159
374835
2632
唯一的要求就是
06:17
was that your password had to have at least 16 characters.
160
377467
3153
你的密码必须至少由16个字符组成
06:20
All right, so now we had 5,000 passwords,
161
380620
2458
那么,现在我们已经有5000个密码了
06:23
and so we had much more detailed information.
162
383078
3563
并且我们有了更加具体的信息
06:26
Again we see that there's only a small number
163
386641
2559
我们再次发现
只有很少数的符号
06:29
of symbols that people are actually using
164
389200
1915
被人们在设定密码的过程中使用
06:31
in their passwords.
165
391115
1886
06:33
We also wanted to get an idea of how strong
166
393001
2599
我们也很想知道
06:35
the passwords were that people were creating,
167
395600
2771
人们设定的密码安全性有多高
06:38
but as you may recall, there isn't a good measure
168
398371
2620
但也许你还记的
06:40
of password strength.
169
400991
1754
并没有很好的方法可以用来衡量密码的安全性
06:42
So what we decided to do was to see
170
402745
2312
因此,我们决定通过
破解密码的时间
06:45
how long it would take to crack these passwords
171
405057
2370
06:47
using the best cracking tools
172
407427
1414
06:48
that the bad guys are using,
173
408841
1808
使用最好的解密软件
那些正在被坏人使用的
06:50
or that we could find information about
174
410649
2016
或者我们也可以
06:52
in the research literature.
175
412665
1537
通过查阅文献来获取相应的信息
06:54
So to give you an idea of how bad guys
176
414202
2758
为了让大家更好的了解坏人
06:56
go about cracking passwords,
177
416960
2170
是如何破解密码的
06:59
they will steal a password file
178
419130
1951
他们会偷一个密码文件
07:01
that will have all of the passwords
179
421081
2153
这个文件有所有的密码
07:03
in kind of a scrambled form, called a hash,
180
423234
2889
无序排列,称为散表
07:06
and so what they'll do is they'll make a guess
181
426123
2562
然后他们开始猜测
07:08
as to what a password is,
182
428685
1712
07:10
run it through a hashing function,
183
430397
1897
密码会是什么
通过运行哈希函数
07:12
and see whether it matches
184
432294
1765
来看这个密码
跟密码清单上的密码能否相对应
07:14
the passwords they have on their stolen password list.
185
434059
3950
07:18
So a dumb attacker will try every password in order.
186
438009
3105
一个笨的黑客会按照顺序试每一种密码
07:21
They'll start with AAAAA and move on to AAAAB,
187
441114
3568
他们会从AAAAA开始,然后AAAAB
07:24
and this is going to take a really long time
188
444682
2418
这种方法会消耗很长的时间
07:27
before they get any passwords
189
447100
1526
直到他们找到
07:28
that people are really likely to actually have.
190
448626
2697
那些人们真正会使用的密码
07:31
A smart attacker, on the other hand,
191
451323
2183
然而,一个聪明的黑客
07:33
does something much more clever.
192
453506
1386
会使用更加明智的方法
07:34
They look at the passwords
193
454892
1826
他们观察这些密码
07:36
that are known to be popular
194
456718
1800
找出那些最受欢迎的组合
07:38
from these stolen password sets,
195
458518
1727
从偷来的密码清单上
07:40
and they guess those first.
196
460245
1189
他们会先试这些受欢迎的密码
07:41
So they're going to start by guessing "password,"
197
461434
2134
所以他们会先猜 “密码",
07:43
and then they'll guess "I love you," and "monkey,"
198
463568
2751
然后 ”我爱你" ,然后”猴子”
07:46
and "12345678,"
199
466319
2583
"12345678"
07:48
because these are the passwords
200
468902
1312
因为这些密码
07:50
that are most likely for people to have.
201
470214
1905
是最常被人们使用的
07:52
In fact, some of you probably have these passwords.
202
472119
3261
事实上,很有可能在座的各位中也有人使用这样的密码
07:57
So what we found
203
477191
1298
因此我们发现
07:58
by running all of these 5,000 passwords we collected
204
478489
3406
通过破解我们在这个试验中收集到的5000个密码
08:01
through these tests to see how strong they were,
205
481895
4106
来判断这些密码的安全性
08:06
we found that the long passwords
206
486001
2752
我们发现长密码
08:08
were actually pretty strong,
207
488753
1280
的安全性很高
08:10
and the complex passwords were pretty strong too.
208
490033
3262
并且那些复杂组合密码的安全性也很高
08:13
However, when we looked at the survey data,
209
493295
2442
然而,当我们分析调查问卷的数据
08:15
we saw that people were really frustrated
210
495737
3024
我们发现人们
对于复杂组合的密码感到沮丧
08:18
by the very complex passwords,
211
498761
2339
08:21
and the long passwords were a lot more usable,
212
501100
2630
而那些长的密码反而实用性更高
08:23
and in some cases, they were actually
213
503730
1325
在某种情况下,长密码
08:25
even stronger than the complex passwords.
214
505055
2908
比复杂组合密码的安全性反而更高
08:27
So this suggests that,
215
507963
1169
由此我们得出结论
08:29
instead of telling people that they need
216
509132
1703
与其让人们把
08:30
to put all these symbols and numbers
217
510835
1522
各种符号,数字
08:32
and crazy things into their passwords,
218
512357
2842
以及各种疯狂的元素加入他们的密码
08:35
we might be better off just telling people
219
515199
2022
还不如就让他们
08:37
to have long passwords.
220
517221
2652
制定更长的密码
08:39
Now here's the problem, though:
221
519873
1792
然后问题出现了:
08:41
Some people had long passwords
222
521665
2255
有一些人的长密码
08:43
that actually weren't very strong.
223
523920
1555
并不是很安全
08:45
You can make long passwords
224
525475
1997
你可以制定很长的密码,
08:47
that are still the sort of thing
225
527472
1556
但是这些密码
08:49
that an attacker could easily guess.
226
529028
1742
还是很容易被黑客猜到
08:50
So we need to do more than just say long passwords.
227
530770
3365
因此紧紧要求密码的长度是不够的
08:54
There has to be some additional requirements,
228
534135
1936
我们还需要一些其它的要求
08:56
and some of our ongoing research is looking at
229
536071
2969
一些我们目前正在做的研究
就是想要找出这些额外的要求
08:59
what additional requirements we should add
230
539040
2439
09:01
to make for stronger passwords
231
541479
2104
让密码更加安全
09:03
that also are going to be easy for people
232
543583
2312
并且这些要求得让人们
09:05
to remember and type.
233
545895
2698
觉得很容易记忆跟输入
09:08
Another approach to getting people to have
234
548593
2126
另一个让人们有
09:10
stronger passwords is to use a password meter.
235
550719
2257
更安全的密码的方法就是用密码尺
09:12
Here are some examples.
236
552976
1385
这里有一些例子
09:14
You may have seen these on the Internet
237
554361
1401
你也许在网上已经见过了
09:15
when you were creating passwords.
238
555762
3057
当你设定密码的时候
09:18
We decided to do a study to find out
239
558819
2248
我们决定通过一个实验来判断
09:21
whether these password meters actually work.
240
561067
2887
这些密码尺是否有效
09:23
Do they actually help people
241
563954
1421
他能不能真正的帮助人们
09:25
have stronger passwords,
242
565375
1453
设定更为安全的密码
09:26
and if so, which ones are better?
243
566828
2086
如果可以的话,哪一种密码尺更为有效
09:28
So we tested password meters that were
244
568914
2507
因此,我们检测了
09:31
different sizes, shapes, colors,
245
571421
2098
不同尺寸,形状,颜色
09:33
different words next to them,
246
573519
1416
不同描述语言的密码尺
09:34
and we even tested one that was a dancing bunny.
247
574935
3275
我们甚至还检测了一种像跳舞的兔子的密码尺
09:38
As you type a better password,
248
578210
1582
当你输入一个很好的密码的时候
09:39
the bunny dances faster and faster.
249
579792
2539
兔子会跳的越来越快
09:42
So this was pretty fun.
250
582331
2529
所以这种密码尺很有趣
09:44
What we found
251
584860
1567
我们发现
09:46
was that password meters do work.
252
586427
3572
这些密码尺确实有用
09:49
(Laughter)
253
589999
1801
(笑声)
09:51
Most of the password meters were actually effective,
254
591800
3333
大多数的密码尺是有效的
跳舞的兔子尤其的有效
09:55
and the dancing bunny was very effective too,
255
595133
2521
09:57
but the password meters that were the most effective
256
597654
2881
但最有效的密码尺
10:00
were the ones that made you work harder
257
600535
2355
是让你更努力的工作
10:02
before they gave you that thumbs up and said
258
602890
1980
直到他竖起大拇指跟你说
10:04
you were doing a good job,
259
604870
1377
你做的很棒
10:06
and in fact we found that most
260
606247
1512
但事实上,我们发现
10:07
of the password meters on the Internet today
261
607759
2281
目前网络上现有的密码尺
10:10
are too soft.
262
610040
952
10:10
They tell you you're doing a good job too early,
263
610992
2203
都太温柔了
他们都太早告诉你,你做的很好
10:13
and if they would just wait a little bit
264
613195
1929
如果他们可以晚一些
10:15
before giving you that positive feedback,
265
615124
2049
给你正面的回应
10:17
you probably would have better passwords.
266
617173
3160
你很有可能可以设定更安全的密码
10:20
Now another approach to better passwords, perhaps,
267
620333
3847
设立更好的密码的另一种方法
也许是使用词汇密码而不是密码
10:24
is to use pass phrases instead of passwords.
268
624180
2890
10:27
So this was an xkcd cartoon from a couple of years ago,
269
627070
3418
这是很多年前的一个xkcd动画
10:30
and the cartoonist suggests
270
630488
1674
动漫家们暗示
10:32
that we should all use pass phrases,
271
632162
2196
我们都应该使用词汇密码
10:34
and if you look at the second row of this cartoon,
272
634358
3170
如果你看这个卡通的第二排
10:37
you can see the cartoonist is suggesting
273
637528
1857
你会发现这些动漫家建议
10:39
that the pass phrase "correct horse battery staple"
274
639385
3441
词汇密码“正确马电池枫叶"
10:42
would be a very strong pass phrase
275
642826
2481
的安全性很高
10:45
and something really easy to remember.
276
645307
1916
并且很容易被记住
10:47
He says, in fact, you've already remembered it.
277
647223
2797
他们认为,事实上你已经记住了
10:50
And so we decided to do a research study
278
650020
2150
因此我们决定做一项研究
10:52
to find out whether this was true or not.
279
652170
2592
来证明这是不是真的
10:54
In fact, everybody who I talk to,
280
654762
1775
事实上,跟我对话的每一个人
10:56
who I mention I'm doing password research,
281
656537
2042
那些我告诉他们我是做密码研究的人
10:58
they point out this cartoon.
282
658579
1400
10:59
"Oh, have you seen it? That xkcd.
283
659979
1574
他们都提到了这个动画
”你看过那个动画吗?那个xkcd“
11:01
Correct horse battery staple."
284
661553
1602
“正确马电池枫叶”
11:03
So we did the research study to see
285
663155
1806
因此我们做了一项研究看
11:04
what would actually happen.
286
664961
2359
到底会发生什么
11:07
So in our study, we used Mechanical Turk again,
287
667320
3060
我们使用亚马逊机器土耳其人来做这个研究
11:10
and we had the computer pick the random words
288
670380
4167
我们让电脑随机挑选一些
11:14
in the pass phrase.
289
674547
1100
过去式的单词
11:15
Now the reason we did this
290
675647
1153
我们这样做的原因是
11:16
is that humans are not very good
291
676800
1586
人们并不擅长
11:18
at picking random words.
292
678386
1384
随机挑选单词
11:19
If we asked a human to do it,
293
679770
1262
如果我让一个人去选单词
11:21
they would pick things that were not very random.
294
681032
2998
他们选出的单词不会是随机的
11:24
So we tried a few different conditions.
295
684030
2032
因此我们试了不同的条件。
11:26
In one condition, the computer picked
296
686062
2090
在一种条件下,
11:28
from a dictionary of the very common words
297
688152
2216
电脑从一本字典中选出一些非常常用的
11:30
in the English language,
298
690368
1362
11:31
and so you'd get pass phrases like
299
691730
1764
英文单词
因此你会得到密码词汇像
11:33
"try there three come."
300
693494
1924
“试那里三来"
11:35
And we looked at that, and we said,
301
695418
1732
我们看着这些词汇说,
11:37
"Well, that doesn't really seem very memorable."
302
697150
3050
‘这看上去并不是很容易被记住。”
11:40
So then we tried picking words
303
700200
2240
然后我们尝试
11:42
that came from specific parts of speech,
304
702440
2521
从日常对话中挑选词汇
11:44
so how about noun-verb-adjective-noun.
305
704961
2182
像名词-动词-形容词-名词的组合。
11:47
That comes up with something that's sort of sentence-like.
306
707143
2577
这会让出现的单词更像句子
11:49
So you can get a pass phrase like
307
709720
2070
这样你会得到像这样的词汇密码
11:51
"plan builds sure power"
308
711790
1308
“计划建设肯定的权利"
11:53
or "end determines red drug."
309
713098
2786
或者 ”结局决定红色的药。“
11:55
And these seemed a little bit more memorable,
310
715884
2676
这些组合看上去更容易被记住
11:58
and maybe people would like those a little bit better.
311
718560
2822
人们也许会更喜欢这样的密码
12:01
We wanted to compare them with passwords,
312
721382
2572
我们想把这样的密码词汇更普通的密码做比较
12:03
and so we had the computer pick random passwords,
313
723954
3196
因此我们让电脑随机挑选密码
12:07
and these were nice and short, but as you can see,
314
727150
1990
这些密码都很好很短
12:09
they don't really look very memorable.
315
729140
2806
但你会发现他们并不好记忆
12:11
And then we decided to try something called
316
731946
1396
然后我们决定尝试一种叫做
12:13
a pronounceable password.
317
733342
1646
12:14
So here the computer picks random syllables
318
734988
2245
可以发声的密码
电脑挑选随机的音节
12:17
and puts them together
319
737233
1134
把他们组合在一起
12:18
so you have something sort of pronounceable,
320
738367
2475
这样你就有了一些可以发声的密码
12:20
like "tufritvi" and "vadasabi."
321
740842
2602
像”tufritvi" 和“vadasabi.’
12:23
That one kind of rolls off your tongue.
322
743444
2147
这些密码像是在挑战你的舌头
12:25
So these were random passwords that were
323
745591
2216
因此这些密码
12:27
generated by our computer.
324
747807
2744
是计算机为我们设定的
12:30
So what we found in this study was that, surprisingly,
325
750551
2978
很惊讶的是,我们从这项试验中发现
12:33
pass phrases were not actually all that good.
326
753529
3768
密码词汇并没有想象中那么好
12:37
People were not really better at remembering
327
757297
2793
跟普通密码相比,人们并没有更好的记住
12:40
the pass phrases than these random passwords,
328
760090
2953
这些词汇密码
12:43
and because the pass phrases are longer,
329
763043
2754
并且由于词汇密码更长
12:45
they took longer to type
330
765797
1226
会花更长的时间来输入
12:47
and people made more errors while typing them in.
331
767023
3010
这会让人们打字的时候犯更多的错误
12:50
So it's not really a clear win for pass phrases.
332
770033
3227
因此词汇密码并没有明显的优势
12:53
Sorry, all of you xkcd fans.
333
773260
3345
对于那些xkcd粉丝来说,这项结果真的很遗憾
12:56
On the other hand, we did find
334
776605
1892
另一方面,我们发现
12:58
that pronounceable passwords
335
778497
1804
那些可发声密码
13:00
worked surprisingly well,
336
780301
1471
13:01
and so we actually are doing some more research
337
781772
2418
非常的有效
因此,我们做了更多的研究
13:04
to see if we can make that approach work even better.
338
784190
3195
是的这种方法可以更好的运作
13:07
So one of the problems
339
787385
1812
有一个问题
13:09
with some of the studies that we've done
340
789197
1623
存在于我们做的一些实验中
13:10
is that because they're all done
341
790820
1683
那就是这些实验都
13:12
using Mechanical Turk,
342
792503
1590
是通过机器土耳其人做的
13:14
these are not people's real passwords.
343
794093
1812
这些密码不是人们日常生活中会用的密码
13:15
They're the passwords that they created
344
795905
2105
这些密码是人们
13:18
or the computer created for them for our study.
345
798010
2495
或者是计算机为了我们的实验而设立的
13:20
And we wanted to know whether people
346
800505
1568
而我们很想知道
人们会不会用同样的方式来制定密码
13:22
would actually behave the same way
347
802073
2312
13:24
with their real passwords.
348
804385
2227
在日常生活中
13:26
So we talked to the information security office at Carnegie Mellon
349
806612
3681
因此我们跟卡内基梅隆大学信息安全中心的人对话
13:30
and asked them if we could have everybody's real passwords.
350
810293
3803
问他们我们能不能拿到所有人的真实密码
13:34
Not surprisingly, they were a little bit reluctant
351
814096
1754
不出意外,他们不愿意
13:35
to share them with us,
352
815850
1550
把这些信息跟我们分享
13:37
but we were actually able to work out
353
817400
1810
但我们事实上找到了一种
13:39
a system with them
354
819210
1040
跟他们合作的方法
13:40
where they put all of the real passwords
355
820250
2109
他们把
13:42
for 25,000 CMU students, faculty and staff,
356
822359
3091
学校25000名学生,老师,员工的密码
13:45
into a locked computer in a locked room,
357
825450
2448
放进一台带锁的电脑,在一个带锁的房间里
13:47
not connected to the Internet,
358
827898
1394
没有网络
13:49
and they ran code on it that we wrote
359
829292
1848
他们在那台电脑上运行我们所写的程序
13:51
to analyze these passwords.
360
831140
2152
来分析这些密码
13:53
They audited our code.
361
833292
1326
他们审查了我们的代码
13:54
They ran the code.
362
834618
1312
13:55
And so we never actually saw
363
835930
1738
并且运行它
因此,我们事实上并没有
13:57
anybody's password.
364
837668
2817
看见任何人的密码
14:00
We got some interesting results,
365
840485
1515
我们得到了一些有趣的结果
14:02
and those of you Tepper students in the back
366
842000
1696
那些坐在后排的Tepper的同学们
14:03
will be very interested in this.
367
843696
2875
会对这个结果很感兴趣
14:06
So we found that the passwords created
368
846571
3731
我们发现
计算机专业的同学所设立的密码
14:10
by people affiliated with the school of computer science
369
850302
2158
14:12
were actually 1.8 times stronger
370
852460
2324
要安全1.8倍
14:14
than those affiliated with the business school.
371
854784
3738
比商学院的同学
14:18
We have lots of other really interesting
372
858522
2040
我们有很多其它非常有趣的
14:20
demographic information as well.
373
860562
2238
地域性发现
14:22
The other interesting thing that we found
374
862800
1846
另一项有趣的发现是
14:24
is that when we compared the Carnegie Mellon passwords
375
864646
2440
通过对比卡内基梅隆的密码
14:27
to the Mechanical Turk-generated passwords,
376
867086
2283
跟机器土耳其人产生的密码
14:29
there was actually a lot of similarities,
377
869369
2619
他们有很多的相似性
14:31
and so this helped validate our research method
378
871988
1948
因此这可以验证我们的实验方法
14:33
and show that actually, collecting passwords
379
873936
2510
证实事实上
14:36
using these Mechanical Turk studies
380
876446
1808
通过土耳其机器人
收集密码的方法是有效的
14:38
is actually a valid way to study passwords.
381
878254
2788
14:41
So that was good news.
382
881042
2285
这是一个好消息
14:43
Okay, I want to close by talking about
383
883327
2414
最后,我想谈一谈
14:45
some insights I gained while on sabbatical
384
885741
2068
我的一些感想,来源于
14:47
last year in the Carnegie Mellon art school.
385
887809
3201
去年在卡内基梅隆艺术学院休假
当时我做的一件事情就是
14:51
One of the things that I did
386
891010
1281
14:52
is I made a number of quilts,
387
892291
1524
14:53
and I made this quilt here.
388
893815
1548
我做了很多的被子
我也在这里做了很多被子
14:55
It's called "Security Blanket."
389
895363
1899
这些被子叫做”安全毯“
14:57
(Laughter)
390
897262
2431
(笑声)
14:59
And this quilt has the 1,000
391
899693
3095
这条被子由1000个
15:02
most frequent passwords stolen
392
902788
2328
最常被盗的密码组成
这些密码来自于RockYou网站
15:05
from the RockYou website.
393
905116
2571
15:07
And the size of the passwords is proportional
394
907687
2061
密码的大小跟
15:09
to how frequently they appeared
395
909748
1901
他被盗的平率成正比
15:11
in the stolen dataset.
396
911649
2248
在被盗密码数据库中
15:13
And what I did is I created this word cloud,
397
913897
2632
我创建了这个单词库
15:16
and I went through all 1,000 words,
398
916529
2132
然后我给这1000个单词
15:18
and I categorized them into
399
918661
1795
进行分进
15:20
loose thematic categories.
400
920456
2380
不是很严格的主题类别中
15:22
And it was, in some cases,
401
922836
1903
一些情况下
15:24
it was kind of difficult to figure out
402
924739
2038
很难判断
15:26
what category they should be in,
403
926777
1755
一些单词应该被分入哪个类别中
15:28
and then I color-coded them.
404
928532
1899
然后我用不同的颜色标记他们
15:30
So here are some examples of the difficulty.
405
930431
2619
这里是一些很难被分类的单词的列子
15:33
So "justin."
406
933050
1181
比如说 “贾斯丁"
15:34
Is that the name of the user,
407
934231
1829
是用户的名字?
15:36
their boyfriend, their son?
408
936060
1322
男朋友的名字?还是儿子的名字?
15:37
Maybe they're a Justin Bieber fan.
409
937382
2888
也有可能他是贾斯丁比伯的粉丝
15:40
Or "princess."
410
940270
2225
或者说 ”公主“
15:42
Is that a nickname?
411
942495
1635
是一个外号?
15:44
Are they Disney princess fans?
412
944130
1595
还是用户是迪斯尼公主的粉丝?
15:45
Or maybe that's the name of their cat.
413
945725
3694
也有可能是他们猫的名字
15:49
"Iloveyou" appears many times
414
949419
1655
”我爱你"经常会被用到
15:51
in many different languages.
415
951074
1545
不同的语言
15:52
There's a lot of love in these passwords.
416
952619
3735
在密码中会有很多“爱”
15:56
If you look carefully, you'll see there's also
417
956354
1680
如果你仔细观察,你还会发现
15:58
some profanity,
418
958034
2267
密码中有很多的脏话
16:00
but it was really interesting to me to see
419
960301
1950
但是有一个发现很有趣
16:02
that there's a lot more love than hate
420
962251
2307
爱比恨要多很多
16:04
in these passwords.
421
964558
2292
在密码中
16:06
And there are animals,
422
966850
1490
密码中还会有动物
16:08
a lot of animals,
423
968340
1360
很多的动物
16:09
and "monkey" is the most common animal
424
969700
2304
猴子是最常见的动物
16:12
and the 14th most popular password overall.
425
972004
3675
是第14个最受欢饮的密码
16:15
And this was really curious to me,
426
975679
2231
我对这个发现非常的好奇
16:17
and I wondered, "Why are monkeys so popular?"
427
977910
2523
我好奇为什么猴子会那么的受欢迎?
16:20
And so in our last password study,
428
980433
3352
因此,在我们最近的一项密码研究中
16:23
any time we detected somebody
429
983785
1686
每次我们发现有人
16:25
creating a password with the word "monkey" in it,
430
985471
2649
在他们的密码中用到猴子的时候
16:28
we asked them why they had a monkey in their password.
431
988120
3030
我们会问他们为什么他会用猴子
16:31
And what we found out --
432
991150
1910
结果我们发现
16:33
we found 17 people so far, I think,
433
993060
2103
在我们目前发现的17个
16:35
who have the word "monkey" --
434
995163
1283
用猴子做密码的人中
16:36
We found out about a third of them said
435
996446
1812
有三分之一的人说
16:38
they have a pet named "monkey"
436
998258
1740
他们有一个宠物叫猴子
16:39
or a friend whose nickname is "monkey,"
437
999998
2291
有一个朋友的外号叫猴子
16:42
and about a third of them said
438
1002289
1660
另外三分之一的人说
16:43
that they just like monkeys
439
1003949
1533
他们只是很喜欢猴子
16:45
and monkeys are really cute.
440
1005482
1638
他们觉得猴子很可爱
16:47
And that guy is really cute.
441
1007120
3639
或者那个朋友很可爱
16:50
So it seems that at the end of the day,
442
1010759
3408
所以看来,在一天的最后
在我们制定密码的时候
16:54
when we make passwords,
443
1014167
1783
16:55
we either make something that's really easy
444
1015950
1974
我们要么会用一些容易
16:57
to type, a common pattern,
445
1017924
3009
输入的东西,一些常用组合
17:00
or things that remind us of the word password
446
1020933
2486
或者是一些可以让我想起密码的事物
17:03
or the account that we've created the password for,
447
1023419
3312
或者是我们制定密码的账户
17:06
or whatever.
448
1026731
2617
或者是任何事
17:09
Or we think about things that make us happy,
449
1029348
2642
或者是那些会让我们想起来开心的事物
17:11
and we create our password
450
1031990
1304
我们设定密码
17:13
based on things that make us happy.
451
1033294
2238
基于那些让我们开心的事物
17:15
And while this makes typing
452
1035532
2863
这让我们输入
17:18
and remembering your password more fun,
453
1038395
2870
跟记忆密码变得更为有趣
17:21
it also makes it a lot easier
454
1041265
1807
这也使得窃取密码的人更容易
17:23
to guess your password.
455
1043072
1506
猜到你的密码
17:24
So I know a lot of these TED Talks
456
1044578
1748
我知道跟多TED谈话的内容
17:26
are inspirational
457
1046326
1634
都非常的激发人们的灵感
17:27
and they make you think about nice, happy things,
458
1047960
2461
他们让你们想到美好开心的事
17:30
but when you're creating your password,
459
1050421
1897
但是当你设定你密码的时候
17:32
try to think about something else.
460
1052318
1991
试着想一些别的事情
17:34
Thank you.
461
1054309
1107
谢谢
17:35
(Applause)
462
1055416
553
关于本网站

这个网站将向你介绍对学习英语有用的YouTube视频。你将看到来自世界各地的一流教师教授的英语课程。双击每个视频页面上显示的英文字幕,即可从那里播放视频。字幕会随着视频的播放而同步滚动。如果你有任何意见或要求,请使用此联系表与我们联系。

https://forms.gle/WvT1wiN1qDtmnspy7