Lorrie Faith Cranor: What's wrong with your pa$$w0rd?

139,691 views ・ 2014-06-24

TED


請雙擊下方英文字幕播放視頻。

譯者: Hsinju Chen 審譯者: Justine Bai
00:12
I am a computer science and engineering professor here at Carnegie Mellon,
0
12535
3445
我是卡內基美隆大學(Carnegie Mellon) 電腦科學及工程的教授
00:15
and my research focuses on usable privacy and security,
1
15980
4248
我研究的專長是有用的隱私權和安全性
00:20
and so my friends like to give me examples
2
20228
2768
所以我的朋友們喜歡提供我一些例子
00:22
of their frustrations with computing systems,
3
22996
2202
使用電腦系統時遇到的挫折
00:25
especially frustrations related to
4
25198
3354
尤其是
00:28
unusable privacy and security.
5
28552
4112
碰到不能用的隱私權和安全性
00:32
So passwords are something that I hear a lot about.
6
32664
2711
密碼就是常見的例子
00:35
A lot of people are frustrated with passwords,
7
35375
2880
很多人對密碼設定感到挫折
00:38
and it's bad enough
8
38255
1694
尤其是
00:39
when you have to have one really good password
9
39949
2644
當你需要一組很好用的密碼
00:42
that you can remember
10
42593
1822
你自己記得住
00:44
but nobody else is going to be able to guess.
11
44415
2894
但沒人猜的到
00:47
But what do you do when you have accounts
12
47309
1637
但當你好幾個帳戶
00:48
on a hundred different systems
13
48946
1808
都在不同的系統環境上
00:50
and you're supposed to have a unique password
14
50754
2276
而每個帳戶都要有個獨特的密碼
00:53
for each of these systems?
15
53030
3037
你要怎麼辦呢?
00:56
It's tough.
16
56067
2184
那不容易
00:58
At Carnegie Mellon, they used to make it
17
58251
1759
卡內基美隆大學
01:00
actually pretty easy for us
18
60010
1299
過去設定密碼很簡單
01:01
to remember our passwords.
19
61309
1737
我們很容易記住
01:03
The password requirement up through 2009
20
63046
2403
到2009年以前
01:05
was just that you had to have a password
21
65449
2379
密碼設定只要求
01:07
with at least one character.
22
67828
2211
至少一個字元
01:10
Pretty easy. But then they changed things,
23
70039
2888
非常簡單 但後來他們改變了規則
01:12
and at the end of 2009, they announced
24
72927
2670
到了2009年底
01:15
that we were going to have a new policy,
25
75597
2376
他們公布了一項新規定
01:17
and this new policy required
26
77973
1863
新規定要求
01:19
passwords that were at least eight characters long,
27
79836
2681
密碼至少要有八個字元
01:22
with an uppercase letter, lowercase letter,
28
82517
1775
包括一個大寫字母 一個小寫字母
01:24
a digit, a symbol,
29
84292
1288
一個數字 一個符號
01:25
you couldn't use the same character more than three times,
30
85580
2638
相同字元不能超過三次
01:28
and it wasn't allowed to be in a dictionary.
31
88218
2434
不可是字典查得到的
01:30
Now, when they implemented this new policy,
32
90652
2182
現在他們實施新規定
01:32
a lot of people, my colleagues and friends,
33
92834
2310
我的同事 朋友 還有很多人
01:35
came up to me and they said, "Wow,
34
95144
1854
告訴我 說: 哇
01:36
now that's really unusable.
35
96998
1512
現在真的變得好難用
01:38
Why are they doing this to us,
36
98510
1193
他們為何這麼做
01:39
and why didn't you stop them?"
37
99703
1711
妳怎麼不阻止他們?
01:41
And I said, "Well, you know what?
38
101414
1356
我說: 你知道嗎?
01:42
They didn't ask me."
39
102770
1508
他們沒問我
01:44
But I got curious, and I decided to go talk
40
104278
3465
可我也很好奇 所以決定要跟那些
01:47
to the people in charge of our computer systems
41
107743
1937
管理我們電腦系統的人談談
01:49
and find out what led them to introduce
42
109680
2831
了解到底什麼原因
01:52
this new policy,
43
112511
1848
讓他們導入這新政策
01:54
and they said that the university
44
114359
1584
他們說卡內基美隆大學
01:55
had joined a consortium of universities,
45
115943
2366
加入了大學聯盟
01:58
and one of the requirements of membership
46
118309
2634
成為會員的條件包括
02:00
was that we had to have stronger passwords
47
120943
2248
提高密碼的安全性
02:03
that complied with some new requirements,
48
123191
2272
好符合新的規定
02:05
and these requirements were that our passwords
49
125463
2104
新規定要求密碼
02:07
had to have a lot of entropy.
50
127567
1604
必須要有很多熵值
02:09
Now entropy is a complicated term,
51
129171
2278
現在這熵值是個很複雜的名詞
02:11
but basically it measures the strength of passwords.
52
131449
2798
基本上它可衡量密碼的強度
02:14
But the thing is, there isn't actually
53
134247
1979
可事實上
02:16
a standard measure of entropy.
54
136226
1949
熵值沒有衡量的標準
02:18
Now, the National Institute of Standards and Technology
55
138175
2399
現在 國家標準與技術研究所
02:20
has a set of guidelines
56
140574
1553
有整套指引
02:22
which have some rules of thumb
57
142127
2568
指引裡有一些經驗法則
02:24
for measuring entropy,
58
144695
1440
用於測量熵值
02:26
but they don't have anything too specific,
59
146135
2895
但他們沒有什麼太具體的東西
02:29
and the reason they only have rules of thumb
60
149030
2337
他們會只有經驗法則
02:31
is it turns out they don't actually have any good data
61
151367
3136
因為他們其實沒有很精確的
02:34
on passwords.
62
154503
1520
密碼數據
02:36
In fact, their report states,
63
156023
2312
實際上他們的報告指出:
02:38
"Unfortunately, we do not have much data
64
158335
2328
不幸的是我們數據不多
02:40
on the passwords users choose under particular rules.
65
160663
2842
特別是 密碼使用者在特定規則下選擇密碼
02:43
NIST would like to obtain more data
66
163505
2333
NIST想獲得更多
02:45
on the passwords users actually choose,
67
165838
2462
使用者選擇密碼的資料
02:48
but system administrators are understandably reluctant
68
168300
2463
但系統管理員當然不願意
02:50
to reveal password data to others."
69
170763
2940
透露密碼資料給其他人
02:53
So this is a problem, but our research group
70
173703
3097
所以這是個問題 但我們的研究小組
02:56
looked at it as an opportunity.
71
176800
2140
視它作為一個機會
02:58
We said, "Well, there's a need for good password data.
72
178940
3100
我們說 好的密碼資料是有必要的
03:02
Maybe we can collect some good password data
73
182040
2148
也許我們可以收集一些好的密碼資料
03:04
and actually advance the state of the art here.
74
184188
2704
有助於提昇技術現況
03:06
So the first thing we did is,
75
186892
1672
所以 我們做的第一件事是
03:08
we got a bag of candy bars
76
188564
1556
我們拿了一包糖果
03:10
and we walked around campus
77
190120
1086
在校園裡
03:11
and talked to students, faculty and staff,
78
191206
2798
跟學生 教師和工作人員解釋
03:14
and asked them for information
79
194004
1530
並跟他們要求取得
03:15
about their passwords.
80
195534
1552
關於他們設定密碼的資訊
03:17
Now we didn't say, "Give us your password."
81
197086
3004
我們並不是說 請給我們您的密碼
03:20
No, we just asked them about their password.
82
200090
2661
我們只是詢問
03:22
How long is it? Does it have a digit?
83
202751
1478
他們的密碼多長?有一個數字嗎?
03:24
Does it have a symbol?
84
204229
1068
有一個符號嗎?
03:25
And were you annoyed at having to create
85
205297
2045
上星期要重設的新密碼
03:27
a new one last week?
86
207342
2744
會不會讓你覺得很煩?
03:30
So we got results from 470 students,
87
210086
3206
因此 我們得到了來自470位
03:33
faculty and staff,
88
213292
971
學生 教師和工作人員的回饋
03:34
and indeed we confirmed that the new policy
89
214263
2514
事實上我們也證實了新的政策
03:36
was very annoying,
90
216777
1453
實在令人討厭
03:38
but we also found that people said
91
218230
1792
但我們也發現 有人說
03:40
they felt more secure with these new passwords.
92
220022
3130
他們認為這些新密碼更安全
03:43
We found that most people knew
93
223152
2306
我們發現大多數人都知道
03:45
they were not supposed to write their password down,
94
225458
2152
不應該把密碼寫下來
03:47
and only 13 percent of them did,
95
227610
2391
而其中只有13%的人有把密碼寫下來
03:50
but disturbingly, 80 percent of people
96
230001
2416
但令人不安的是
03:52
said they were reusing their password.
97
232417
2124
80%的人表示他們重複使用他們的密碼
03:54
Now, this is actually more dangerous
98
234541
1796
這其實比寫下密碼
03:56
than writing your password down,
99
236337
2022
來得更危險
03:58
because it makes you much more susceptible to attackers.
100
238359
3561
因為你更容易受到駭客攻擊
04:01
So if you have to, write your passwords down,
101
241920
3118
所以 必要時寫下密碼
04:05
but don't reuse them.
102
245038
1799
但不要重複使用
04:06
We also found some interesting things
103
246837
1751
我們還發現了一些有趣的事情
04:08
about the symbols people use in passwords.
104
248588
2961
關於密碼中的符號
04:11
So CMU allows 32 possible symbols,
105
251549
2799
CMU允許使用的符號有32個
04:14
but as you can see, there's only a small number
106
254348
2433
但正如你所見 只有少數符號
04:16
that most people are using,
107
256781
1802
常常被使用
04:18
so we're not actually getting very much strength
108
258583
2941
所以實際上 我們密碼也沒有變得更強
04:21
from the symbols in our passwords.
109
261524
2466
因為密碼裡有了符號
04:23
So this was a really interesting study,
110
263990
2711
這是一個非常有趣的研究
04:26
and now we had data from 470 people,
111
266701
2464
現在我們有470人的資料
04:29
but in the scheme of things,
112
269165
1305
但對這項計劃而言
04:30
that's really not very much password data,
113
270470
2580
這些數據不算多
04:33
and so we looked around to see
114
273050
1445
所以我們想周圍
04:34
where could we find additional password data?
115
274495
2560
那裡可以找到更多密碼資料?
04:37
So it turns out there are a lot of people
116
277055
2176
後來我們發現 原來有很多人
04:39
going around stealing passwords,
117
279231
2202
到處去竊取密碼
04:41
and they often go and post these passwords
118
281433
2477
然後在網路上
04:43
on the Internet.
119
283910
1337
發佈這些密碼
04:45
So we were able to get access
120
285247
1673
我們取得
04:46
to some of these stolen password sets.
121
286920
3970
其中一些被盜的密碼
04:50
This is still not really ideal for research, though,
122
290890
2328
雖然這對研究來說不是很理想
04:53
because it's not entirely clear
123
293218
2037
因為我們不清楚
04:55
where all of these passwords came from,
124
295255
2184
這些密碼從哪裡來
04:57
or exactly what policies were in effect
125
297439
2242
還是他們設密碼時
04:59
when people created these passwords.
126
299681
2108
採取了什麼樣的策略
05:01
So we wanted to find some better source of data.
127
301789
3552
因此 我們希望找到 較好的資料來源
05:05
So we decided that one thing we could do
128
305341
1634
所以我們發現可以做一件事
05:06
is we could do a study and have people
129
306975
2129
我們打算展開研究計畫
05:09
actually create passwords for our study.
130
309104
3240
讓人們實際來設定密碼
05:12
So we used a service called Amazon Mechanical Turk,
131
312344
2821
我們使用了"亞馬遜機器游牧民族"提供的服務
05:15
and this is a service where you can post
132
315165
2334
這是一種群眾外包服務平台
05:17
a small job online that takes a minute,
133
317499
2304
在那裡 你可以張貼微型線上工作資訊
05:19
a few minutes, an hour,
134
319803
1500
只需要幾分種 一小時就能完成
05:21
and pay people, a penny, ten cents, a few dollars,
135
321303
2584
然後付些錢
05:23
to do a task for you,
136
323887
1346
給幫你完成工作的人
05:25
and then you pay them through Amazon.com.
137
325233
2122
然後透過Amazon.com付費給他們
05:27
So we paid people about 50 cents
138
327355
2294
我們一共付了約50分美元
05:29
to create a password following our rules
139
329649
2596
讓人根據我們的規則 設立密碼
05:32
and answering a survey,
140
332245
1410
並回答問卷
05:33
and then we paid them again to come back
141
333655
2525
然後 再付給他們一筆錢 請他們兩天後回來
05:36
two days later and log in
142
336180
2071
用他們的密碼登錄
05:38
using their password and answering another survey.
143
338251
2574
再回答另一份問卷
05:40
So we did this, and we collected 5,000 passwords,
144
340825
4464
就這樣我們收集了5,000個密碼
05:45
and we gave people a bunch of different policies
145
345289
2695
要求他們依不同規則
05:47
to create passwords with.
146
347984
1508
設立密碼
05:49
So some people had a pretty easy policy,
147
349492
1910
有些人的規則很簡單
05:51
we call it Basic8,
148
351402
1539
我們叫它Basic8
05:52
and here the only rule was that your password
149
352941
2146
它只要求
05:55
had to have at least eight characters.
150
355087
3416
密碼至少有八個字元
05:58
Then some people had a much harder policy,
151
358503
2251
有些人的規則就比較困難
06:00
and this was very similar to the CMU policy,
152
360754
2537
跟卡內基美隆大學的作法很像
06:03
that it had to have eight characters
153
363291
1934
它必須有8個字元
06:05
including uppercase, lowercase, digit, symbol,
154
365225
2376
包括大寫 小寫 數字 符號
06:07
and pass a dictionary check.
155
367601
2389
並通過字典檢查
06:09
And one of the other policies we tried,
156
369990
1335
我們試過其中的規則之一
06:11
and there were a whole bunch more,
157
371325
1270
並還有更多
06:12
but one of the ones we tried was called Basic16,
158
372595
2240
但其中一種稱為Basic16
06:14
and the only requirement here
159
374835
2632
唯一的要求是
06:17
was that your password had to have at least 16 characters.
160
377467
3153
密碼至少有16個字元
06:20
All right, so now we had 5,000 passwords,
161
380620
2458
所以現在我們有5,000個密碼
06:23
and so we had much more detailed information.
162
383078
3563
還有詳細的資訊
06:26
Again we see that there's only a small number
163
386641
2559
我們又看到
06:29
of symbols that people are actually using
164
389200
1915
只有少數的符號
06:31
in their passwords.
165
391115
1886
被使用在密碼中
06:33
We also wanted to get an idea of how strong
166
393001
2599
我們也希望知道
06:35
the passwords were that people were creating,
167
395600
2771
人們設立的密碼的強度
06:38
but as you may recall, there isn't a good measure
168
398371
2620
但你可能還記得 還沒有一個很好的
06:40
of password strength.
169
400991
1754
衡量密碼強度的方法
06:42
So what we decided to do was to see
170
402745
2312
所以我們決定要看看
06:45
how long it would take to crack these passwords
171
405057
2370
使用駭客用的破解工具
06:47
using the best cracking tools
172
407427
1414
或是使用
06:48
that the bad guys are using,
173
408841
1808
我們在文獻可以找的到的資訊
06:50
or that we could find information about
174
410649
2016
需要多長時間
06:52
in the research literature.
175
412665
1537
來破解這些密碼
06:54
So to give you an idea of how bad guys
176
414202
2758
因此 讓你們來看看駭客
06:56
go about cracking passwords,
177
416960
2170
如何破解密碼
06:59
they will steal a password file
178
419130
1951
他們竊取密碼檔案
07:01
that will have all of the passwords
179
421081
2153
這檔案中的密碼
07:03
in kind of a scrambled form, called a hash,
180
423234
2889
呈現混亂形式 稱為散列
07:06
and so what they'll do is they'll make a guess
181
426123
2562
他們會用猜測的方式
07:08
as to what a password is,
182
428685
1712
來猜測密碼
07:10
run it through a hashing function,
183
430397
1897
再用散列函數程式跑過
07:12
and see whether it matches
184
432294
1765
看是否能在他們偷來的密碼中
07:14
the passwords they have on their stolen password list.
185
434059
3950
找到相同密碼
07:18
So a dumb attacker will try every password in order.
186
438009
3105
所以 一個愚蠢駭客會將密碼一個一個順序試
07:21
They'll start with AAAAA and move on to AAAAB,
187
441114
3568
從AAAAA開始 到AAAAB
07:24
and this is going to take a really long time
188
444682
2418
這要花很長的時間
07:27
before they get any passwords
189
447100
1526
才能得到有可能
07:28
that people are really likely to actually have.
190
448626
2697
人們真正設置的密碼
07:31
A smart attacker, on the other hand,
191
451323
2183
另一方面 一個聰明的駭客
07:33
does something much more clever.
192
453506
1386
作法就聰明些
07:34
They look at the passwords
193
454892
1826
他們猜測密碼時
07:36
that are known to be popular
194
456718
1800
先試
07:38
from these stolen password sets,
195
458518
1727
從這些偷來的密碼組中
07:40
and they guess those first.
196
460245
1189
常用的密碼
07:41
So they're going to start by guessing "password,"
197
461434
2134
因此 他們要開始猜測“密碼”時
07:43
and then they'll guess "I love you," and "monkey,"
198
463568
2751
他們會先猜 “我愛你” 和 “猴子”
07:46
and "12345678,"
199
466319
2583
和“12345678”
07:48
because these are the passwords
200
468902
1312
因為這些密碼
07:50
that are most likely for people to have.
201
470214
1905
是最多人用
07:52
In fact, some of you probably have these passwords.
202
472119
3261
事實上 你們可能也有這些密碼
07:57
So what we found
203
477191
1298
所以 我們發現
07:58
by running all of these 5,000 passwords we collected
204
478489
3406
用我們收集的5,000個密碼
08:01
through these tests to see how strong they were,
205
481895
4106
用這些測試 看看他們的強度是如何
08:06
we found that the long passwords
206
486001
2752
我們發現
08:08
were actually pretty strong,
207
488753
1280
長密碼通常強度很高
08:10
and the complex passwords were pretty strong too.
208
490033
3262
而複雜的密碼也相當強
08:13
However, when we looked at the survey data,
209
493295
2442
然而 當我們看到這調查數據
08:15
we saw that people were really frustrated
210
495737
3024
我們看到人們對非常複雜的密碼
08:18
by the very complex passwords,
211
498761
2339
很有挫折感
08:21
and the long passwords were a lot more usable,
212
501100
2630
長的密碼會實用很多
08:23
and in some cases, they were actually
213
503730
1325
在某些情況下
08:25
even stronger than the complex passwords.
214
505055
2908
他們比複雜密碼更強
08:27
So this suggests that,
215
507963
1169
這告訴我們
08:29
instead of telling people that they need
216
509132
1703
比較好是告訴人們使用長密碼
08:30
to put all these symbols and numbers
217
510835
1522
而不是告訴人們
08:32
and crazy things into their passwords,
218
512357
2842
他們要把這些符號和數字
08:35
we might be better off just telling people
219
515199
2022
和瘋狂的東西
08:37
to have long passwords.
220
517221
2652
放進自己的密碼中
08:39
Now here's the problem, though:
221
519873
1792
現在 有個問題:
08:41
Some people had long passwords
222
521665
2255
有些人有長密碼
08:43
that actually weren't very strong.
223
523920
1555
但其實並不是很強
08:45
You can make long passwords
224
525475
1997
你可以有長的密碼
08:47
that are still the sort of thing
225
527472
1556
仍是那些
08:49
that an attacker could easily guess.
226
529028
1742
駭客可以很容易地猜到的密碼
08:50
So we need to do more than just say long passwords.
227
530770
3365
所以我們需要的不只是長密碼
08:54
There has to be some additional requirements,
228
534135
1936
還有一些其他的要求
08:56
and some of our ongoing research is looking at
229
536071
2969
我們正在進行的一些研究
08:59
what additional requirements we should add
230
539040
2439
是在尋找應該加入什麼樣的要求
09:01
to make for stronger passwords
231
541479
2104
讓密碼強度更高
09:03
that also are going to be easy for people
232
543583
2312
並且很容易
09:05
to remember and type.
233
545895
2698
讓人記住和輸入
09:08
Another approach to getting people to have
234
548593
2126
讓人們設置強度高密碼的另一種方法
09:10
stronger passwords is to use a password meter.
235
550719
2257
是使用一個密碼強度測量表
09:12
Here are some examples.
236
552976
1385
下面是一些例子
09:14
You may have seen these on the Internet
237
554361
1401
當你在網路上設立密碼時
09:15
when you were creating passwords.
238
555762
3057
你可能已經看過這些
09:18
We decided to do a study to find out
239
558819
2248
我們決定做研究找出
09:21
whether these password meters actually work.
240
561067
2887
這些密碼強度測量表是否真的有用
09:23
Do they actually help people
241
563954
1421
它們是否真的
09:25
have stronger passwords,
242
565375
1453
有助於設立強的密碼
09:26
and if so, which ones are better?
243
566828
2086
若有的話 哪個更好?
09:28
So we tested password meters that were
244
568914
2507
所以我們在密碼旁
09:31
different sizes, shapes, colors,
245
571421
2098
加入不同的大小 形狀 顏色的
09:33
different words next to them,
246
573519
1416
密碼強度測量表
09:34
and we even tested one that was a dancing bunny.
247
574935
3275
我們甚至用一個跳舞的兔子
09:38
As you type a better password,
248
578210
1582
當你輸入一個較好的密碼
09:39
the bunny dances faster and faster.
249
579792
2539
兔子會跳舞跳得越來越快
09:42
So this was pretty fun.
250
582331
2529
這很有趣
09:44
What we found
251
584860
1567
我們發現
09:46
was that password meters do work.
252
586427
3572
密碼強度測量表真的有用
09:49
(Laughter)
253
589999
1801
(笑聲)
09:51
Most of the password meters were actually effective,
254
591800
3333
大部分的密碼測量表都真的有效
09:55
and the dancing bunny was very effective too,
255
595133
2521
跳舞的兔子也很有效
09:57
but the password meters that were the most effective
256
597654
2881
最有效的密碼測量表
10:00
were the ones that made you work harder
257
600535
2355
再給你大拇指讚之前
10:02
before they gave you that thumbs up and said
258
602890
1980
告訴你做的好之前
10:04
you were doing a good job,
259
604870
1377
你已做了很多工做
10:06
and in fact we found that most
260
606247
1512
而事實上 我們發現
10:07
of the password meters on the Internet today
261
607759
2281
目前網路上大部分的
10:10
are too soft.
262
610040
952
10:10
They tell you you're doing a good job too early,
263
610992
2203
測量表都太弱
他們都太早告訴你 你做的好
10:13
and if they would just wait a little bit
264
613195
1929
在給你的正面回饋之前
10:15
before giving you that positive feedback,
265
615124
2049
他們只要再等久一點點
10:17
you probably would have better passwords.
266
617173
3160
你可能就會有更好的密碼
10:20
Now another approach to better passwords, perhaps,
267
620333
3847
另一種更好地設密碼的方法
10:24
is to use pass phrases instead of passwords.
268
624180
2890
就是使用密語 而不是密碼
10:27
So this was an xkcd cartoon from a couple of years ago,
269
627070
3418
所以這是一個幾年前的XKCD卡通
10:30
and the cartoonist suggests
270
630488
1674
漫畫家建議我
10:32
that we should all use pass phrases,
271
632162
2196
們都應該使用密語
10:34
and if you look at the second row of this cartoon,
272
634358
3170
如果你看這部動畫片的第二行
10:37
you can see the cartoonist is suggesting
273
637528
1857
可以看到漫畫家建議
10:39
that the pass phrase "correct horse battery staple"
274
639385
3441
密語 “正確的馬電池主食”
10:42
would be a very strong pass phrase
275
642826
2481
是一個非常強密語
10:45
and something really easy to remember.
276
645307
1916
也很容易記住
10:47
He says, in fact, you've already remembered it.
277
647223
2797
他說 事實上 你已經記住了
10:50
And so we decided to do a research study
278
650020
2150
所以我們決定做一個研究
10:52
to find out whether this was true or not.
279
652170
2592
看這是真還是假
10:54
In fact, everybody who I talk to,
280
654762
1775
事實上 我們訪問的對象
10:56
who I mention I'm doing password research,
281
656537
2042
當我們提到是做密碼的研究
10:58
they point out this cartoon.
282
658579
1400
他們提到這部動畫片
10:59
"Oh, have you seen it? That xkcd.
283
659979
1574
“你看過那XKCD嗎?
11:01
Correct horse battery staple."
284
661553
1602
正確的馬電池主食"
11:03
So we did the research study to see
285
663155
1806
所以我們做了調查研究
11:04
what would actually happen.
286
664961
2359
看看到底會發生什麼
11:07
So in our study, we used Mechanical Turk again,
287
667320
3060
研究中 我們再次使用群眾外包平台
11:10
and we had the computer pick the random words
288
670380
4167
我們讓電腦隨機
11:14
in the pass phrase.
289
674547
1100
在密語中選字
11:15
Now the reason we did this
290
675647
1153
我們這樣做的原因是
11:16
is that humans are not very good
291
676800
1586
人類不是很會
11:18
at picking random words.
292
678386
1384
11:19
If we asked a human to do it,
293
679770
1262
隨機選字
如果我們找人來做
11:21
they would pick things that were not very random.
294
681032
2998
他們挑的都不是很隨機
11:24
So we tried a few different conditions.
295
684030
2032
因此 我們嘗試了一些不同的情況
11:26
In one condition, the computer picked
296
686062
2090
在其中一種情況下
11:28
from a dictionary of the very common words
297
688152
2216
電腦從字典選出
英文很常見的字
11:30
in the English language,
298
690368
1362
11:31
and so you'd get pass phrases like
299
691730
1764
所以你可能會有
11:33
"try there three come."
300
693494
1924
“試那兒三來” 的密語
11:35
And we looked at that, and we said,
301
695418
1732
我們看了說
11:37
"Well, that doesn't really seem very memorable."
302
697150
3050
這似乎不是很好記
11:40
So then we tried picking words
303
700200
2240
於是當我們嘗試
在演說中的特定部分來選字
11:42
that came from specific parts of speech,
304
702440
2521
11:44
so how about noun-verb-adjective-noun.
305
704961
2182
就像名詞 動詞 形容詞 名詞
11:47
That comes up with something that's sort of sentence-like.
306
707143
2577
我們得到像句子的東西
11:49
So you can get a pass phrase like
307
709720
2070
這樣你就可以得到一個密語 像是
11:51
"plan builds sure power"
308
711790
1308
"計畫建造肯定力量"
11:53
or "end determines red drug."
309
713098
2786
或是 "結束決定紅色藥"
11:55
And these seemed a little bit more memorable,
310
715884
2676
而這些似乎比較容易記住
11:58
and maybe people would like those a little bit better.
311
718560
2822
也許人們會比較喜歡一點
12:01
We wanted to compare them with passwords,
312
721382
2572
我們希望將它們與密碼進行比較
12:03
and so we had the computer pick random passwords,
313
723954
3196
所以我們用電腦挑隨機密碼
12:07
and these were nice and short, but as you can see,
314
727150
1990
這些都是又短又好 但你會發現
他們看起來不好記
12:09
they don't really look very memorable.
315
729140
2806
12:11
And then we decided to try something called
316
731946
1396
後我們決定嘗試一種叫做
12:13
a pronounceable password.
317
733342
1646
可發音密碼
12:14
So here the computer picks random syllables
318
734988
2245
這是電腦隨機挑選的音節
12:17
and puts them together
319
737233
1134
並把它們放在一起
12:18
so you have something sort of pronounceable,
320
738367
2475
你得到這樣好像讀得出來的東西
12:20
like "tufritvi" and "vadasabi."
321
740842
2602
“tufritvi”和“vadasabi”
12:23
That one kind of rolls off your tongue.
322
743444
2147
又有點讓舌頭打結
12:25
So these were random passwords that were
323
745591
2216
這些都是電腦產生的
12:27
generated by our computer.
324
747807
2744
隨機密碼
我們在這項研究發現是
12:30
So what we found in this study was that, surprisingly,
325
750551
2978
驚訝的是 密語實際上不是那麼好
12:33
pass phrases were not actually all that good.
326
753529
3768
12:37
People were not really better at remembering
327
757297
2793
人們記密語
12:40
the pass phrases than these random passwords,
328
760090
2953
并不比隨機密碼記得更好
12:43
and because the pass phrases are longer,
329
763043
2754
並且因為密語較長
12:45
they took longer to type
330
765797
1226
需要較長的時間來輸入
12:47
and people made more errors while typing them in.
331
767023
3010
輸入時容易出錯
所以密語不會比較好
12:50
So it's not really a clear win for pass phrases.
332
770033
3227
12:53
Sorry, all of you xkcd fans.
333
773260
3345
xkcd的粉絲們 抱歉了
在另一方面 我們確實發現
12:56
On the other hand, we did find
334
776605
1892
12:58
that pronounceable passwords
335
778497
1804
那可發音密碼
13:00
worked surprisingly well,
336
780301
1471
出奇地好用
13:01
and so we actually are doing some more research
337
781772
2418
所以我們正在做一些調查研究
13:04
to see if we can make that approach work even better.
338
784190
3195
看看我們是否可以讓這方法做得更好
13:07
So one of the problems
339
787385
1812
我們已經做的一些研究中
13:09
with some of the studies that we've done
340
789197
1623
13:10
is that because they're all done
341
790820
1683
有一個問題就是
因為這些研究
13:12
using Mechanical Turk,
342
792503
1590
都是在群眾外包平台上執行
13:14
these are not people's real passwords.
343
794093
1812
這些都不是人們的真正密碼
13:15
They're the passwords that they created
344
795905
2105
這些是為研究而創造的密碼
13:18
or the computer created for them for our study.
345
798010
2495
或者為電腦產生的密碼
13:20
And we wanted to know whether people
346
800505
1568
而我們想知道
13:22
would actually behave the same way
347
802073
2312
是否實際上人們具有相同的行為方式
13:24
with their real passwords.
348
804385
2227
來設定他們的真實密碼
13:26
So we talked to the information security office at Carnegie Mellon
349
806612
3681
因此 我們請卡內積梅隆的 資訊安全辦公室
13:30
and asked them if we could have everybody's real passwords.
350
810293
3803
為我們提供大家的真實密碼
不出意外 他們是有點不願意
13:34
Not surprisingly, they were a little bit reluctant
351
814096
1754
13:35
to share them with us,
352
815850
1550
與我們分享
13:37
but we were actually able to work out
353
817400
1810
但是我們共同想出
13:39
a system with them
354
819210
1040
一個辦法
13:40
where they put all of the real passwords
355
820250
2109
他們用來儲存
13:42
for 25,000 CMU students, faculty and staff,
356
822359
3091
CMU25,000個學生,教師,和員工 真實密碼的系統
13:45
into a locked computer in a locked room,
357
825450
2448
放在一台鎖碼的電腦里 鎖在教室
13:47
not connected to the Internet,
358
827898
1394
沒有網路連線
13:49
and they ran code on it that we wrote
359
829292
1848
他們操作我們所寫的代碼
13:51
to analyze these passwords.
360
831140
2152
來分析密碼
13:53
They audited our code.
361
833292
1326
他們審核我們的代碼
13:54
They ran the code.
362
834618
1312
13:55
And so we never actually saw
363
835930
1738
他們跑這些代碼
13:57
anybody's password.
364
837668
2817
所以我們並沒真正看到
任何人的密碼
14:00
We got some interesting results,
365
840485
1515
我們得到了一些有趣的結果
14:02
and those of you Tepper students in the back
366
842000
1696
那些在後面的太普學生
14:03
will be very interested in this.
367
843696
2875
都會對此很感興趣
14:06
So we found that the passwords created
368
846571
3731
我們發現
電腦科學學院學生密碼
14:10
by people affiliated with the school of computer science
369
850302
2158
14:12
were actually 1.8 times stronger
370
852460
2324
比那些商學院學生的密碼
14:14
than those affiliated with the business school.
371
854784
3738
要強1.8倍
14:18
We have lots of other really interesting
372
858522
2040
我們有很多其他的真的很有趣
14:20
demographic information as well.
373
860562
2238
人口統計資訊
14:22
The other interesting thing that we found
374
862800
1846
另一個有趣的事情
14:24
is that when we compared the Carnegie Mellon passwords
375
864646
2440
當我們比較
卡內基梅隆和群眾外包平台生成的密碼
14:27
to the Mechanical Turk-generated passwords,
376
867086
2283
14:29
there was actually a lot of similarities,
377
869369
2619
實際上存在很多的相似之處
14:31
and so this helped validate our research method
378
871988
1948
所以這有助於驗證我們的研究方法
14:33
and show that actually, collecting passwords
379
873936
2510
並顯示 實際上
群眾外包平台收集的密碼
14:36
using these Mechanical Turk studies
380
876446
1808
14:38
is actually a valid way to study passwords.
381
878254
2788
對我們的研究很有效
所以這是個好消息
14:41
So that was good news.
382
881042
2285
14:43
Okay, I want to close by talking about
383
883327
2414
好吧 我想用下面所說的來做總結
14:45
some insights I gained while on sabbatical
384
885741
2068
一些我去年在卡內基·梅隆藝術學校
14:47
last year in the Carnegie Mellon art school.
385
887809
3201
公休時獲得的啟發
其中一個我做的事就是
14:51
One of the things that I did
386
891010
1281
14:52
is I made a number of quilts,
387
892291
1524
我做了一些拼布棉被
14:53
and I made this quilt here.
388
893815
1548
這是我在這裡做的
14:55
It's called "Security Blanket."
389
895363
1899
叫做 "安全性毯子"
14:57
(Laughter)
390
897262
2431
(笑聲)
14:59
And this quilt has the 1,000
391
899693
3095
這棉被上有RockYou網站上公布的
15:02
most frequent passwords stolen
392
902788
2328
1000個
最常被偷的密碼
15:05
from the RockYou website.
393
905116
2571
15:07
And the size of the passwords is proportional
394
907687
2061
密碼的大小顯示
15:09
to how frequently they appeared
395
909748
1901
他們再被盜資料庫中
15:11
in the stolen dataset.
396
911649
2248
出現頻率成正比
15:13
And what I did is I created this word cloud,
397
913897
2632
而我創造了這個字雲
15:16
and I went through all 1,000 words,
398
916529
2132
我把 1000個字
15:18
and I categorized them into
399
918661
1795
歸類成
15:20
loose thematic categories.
400
920456
2380
幾個大項
15:22
And it was, in some cases,
401
922836
1903
並且在某些情況下
15:24
it was kind of difficult to figure out
402
924739
2038
很難將他們
15:26
what category they should be in,
403
926777
1755
歸類
15:28
and then I color-coded them.
404
928532
1899
然後我就用顏色碼來分
15:30
So here are some examples of the difficulty.
405
930431
2619
這裡是一些有難度的例子
15:33
So "justin."
406
933050
1181
譬如"賈斯汀"
15:34
Is that the name of the user,
407
934231
1829
是用戶的名字
15:36
their boyfriend, their son?
408
936060
1322
男友 兒子?
15:37
Maybe they're a Justin Bieber fan.
409
937382
2888
或許是賈斯汀·比伯的粉絲
15:40
Or "princess."
410
940270
2225
又或是"公主"
15:42
Is that a nickname?
411
942495
1635
是個暱稱
15:44
Are they Disney princess fans?
412
944130
1595
他們是迪士尼公主的粉絲嗎?
15:45
Or maybe that's the name of their cat.
413
945725
3694
又或是是他們貓咪的名字
"我愛你" 用很多不同語言
15:49
"Iloveyou" appears many times
414
949419
1655
出現很多次
15:51
in many different languages.
415
951074
1545
15:52
There's a lot of love in these passwords.
416
952619
3735
在這些密碼中 很多愛字
如果你仔細看
15:56
If you look carefully, you'll see there's also
417
956354
1680
你會發現也有些褻瀆
15:58
some profanity,
418
958034
2267
16:00
but it was really interesting to me to see
419
960301
1950
很有趣 我看到了
16:02
that there's a lot more love than hate
420
962251
2307
這些密碼中
16:04
in these passwords.
421
964558
2292
愛比恨多
16:06
And there are animals,
422
966850
1490
還有動物
16:08
a lot of animals,
423
968340
1360
很多的動物
16:09
and "monkey" is the most common animal
424
969700
2304
而“猴子”是最常見的動物
16:12
and the 14th most popular password overall.
425
972004
3675
第14個最受歡迎的密碼
我對此很好奇 也很納悶
16:15
And this was really curious to me,
426
975679
2231
16:17
and I wondered, "Why are monkeys so popular?"
427
977910
2523
“為什麼是猴子如此受歡迎?”
16:20
And so in our last password study,
428
980433
3352
所以在我們最後一個密碼研究
16:23
any time we detected somebody
429
983785
1686
當我們發現有人
16:25
creating a password with the word "monkey" in it,
430
985471
2649
在設定密碼中出現"猴子"
16:28
we asked them why they had a monkey in their password.
431
988120
3030
我們問他們原因
我們發現---
16:31
And what we found out --
432
991150
1910
目前有17個人
16:33
we found 17 people so far, I think,
433
993060
2103
16:35
who have the word "monkey" --
434
995163
1283
密碼設置為猴子
16:36
We found out about a third of them said
435
996446
1812
有三分之一的人說
16:38
they have a pet named "monkey"
436
998258
1740
16:39
or a friend whose nickname is "monkey,"
437
999998
2291
他們有叫"猴子 "的寵物
或有朋友暱稱"猴子"
16:42
and about a third of them said
438
1002289
1660
而有三分之一的說
16:43
that they just like monkeys
439
1003949
1533
他們就是喜歡猴子
16:45
and monkeys are really cute.
440
1005482
1638
猴子很可愛
16:47
And that guy is really cute.
441
1007120
3639
而那人真的很可愛
16:50
So it seems that at the end of the day,
442
1010759
3408
最終這似乎表明
16:54
when we make passwords,
443
1014167
1783
當我們選密碼時
16:55
we either make something that's really easy
444
1015950
1974
並不選擇那些很容易輸入的東西
16:57
to type, a common pattern,
445
1017924
3009
17:00
or things that remind us of the word password
446
1020933
2486
常見的模式 或是
提醒我們有關密碼的東西
17:03
or the account that we've created the password for,
447
1023419
3312
或提醒有關帳號
17:06
or whatever.
448
1026731
2617
或是其他的
17:09
Or we think about things that make us happy,
449
1029348
2642
或是想到讓我們感到快樂的事
17:11
and we create our password
450
1031990
1304
17:13
based on things that make us happy.
451
1033294
2238
然後我們基於
17:15
And while this makes typing
452
1035532
2863
讓我們快樂的事來設置密碼
17:18
and remembering your password more fun,
453
1038395
2870
雖然這使我們輸入密碼及記憶密碼的
時候變得有趣
17:21
it also makes it a lot easier
454
1041265
1807
但也更容易猜測你所設立的密碼
17:23
to guess your password.
455
1043072
1506
17:24
So I know a lot of these TED Talks
456
1044578
1748
我知道TED的很多演講
17:26
are inspirational
457
1046326
1634
17:27
and they make you think about nice, happy things,
458
1047960
2461
都很有啓發性
並常常是可愛快樂的主題
17:30
but when you're creating your password,
459
1050421
1897
但當你設立密碼時
17:32
try to think about something else.
460
1052318
1991
試著用其他的心態去創造你的密碼
17:34
Thank you.
461
1054309
1107
謝謝大家
17:35
(Applause)
462
1055416
553
(掌聲)
關於本網站

本網站將向您介紹對學習英語有用的 YouTube 視頻。 您將看到來自世界各地的一流教師教授的英語課程。 雙擊每個視頻頁面上顯示的英文字幕,從那裡播放視頻。 字幕與視頻播放同步滾動。 如果您有任何意見或要求,請使用此聯繫表與我們聯繫。

https://forms.gle/WvT1wiN1qDtmnspy7