English-Video.net comment policy

The comment field is common to all languages

Let's write in your language and use "Google Translate" together

Please refer to informative community guidelines on TED.com

TEDxCMU

Lorrie Faith Cranor: What’s wrong with your pa$$w0rd?

洛里·费斯·克兰纳: 你的密码有什么问题?

Filmed
Views 1,487,395

洛里·费斯·克兰纳通过研究数以千记的密码得到了很多惊奇的发现, 以及用户,安全网站经常会犯的影响信息安全的错误。你有可能会问她是如何研究上千个密码而不威胁到用户的信息安全的?这本身就是一个有趣的故事。这些密码的秘密值得你去了解,尤其如果你的密码是123456的话

- Security researcher
At Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online. Full bio

我是卡内基梅隆大学计算机科学与工程专业的教授,
00:12
I am a computer电脑 science科学 and engineering工程
professor教授 here at Carnegie卡内基 Mellon梅隆,
我的研究兴趣是隐私与安全保护。
00:15
and my research研究 focuses重点 on
usable可用 privacy隐私 and security安全,
因此,我那些朋友喜欢跟我吐槽,
00:20
and so my friends朋友 like to give me examples例子
说他们使用计算机时受到的种种挫折,
00:22
of their frustrations挫折 with computing计算 systems系统,
特别是
00:25
especially特别 frustrations挫折 related有关 to
跟不可用隐私和安全有关的挫折
00:28
unusable不可用 privacy隐私 and security安全.
00:32
So passwords密码 are something that I hear a lot about.
密码就是我经常听到抱怨的一个问题
00:35
A lot of people are frustrated受挫 with passwords密码,
很多人因为密码的问题感到沮丧
00:38
and it's bad enough足够
这真的很令人头疼
00:39
when you have to have one really good password密码
当你不得不有一个很好的密码
00:42
that you can remember记得
一个你自己可以记住
00:44
but nobody没有人 else其他 is going to be able能够 to guess猜测.
但是其他人都猜不到的密码
00:47
But what do you do when you have accounts账户
但你会怎么做呢?
当你在一百个不同的系统里有不同的账户
00:48
on a hundred different不同 systems系统
00:50
and you're supposed应该 to have a unique独特 password密码
你是不是
该给每个系统都设立一个独立的密码呢?
00:53
for each of these systems系统?
00:56
It's tough强硬.
这是非常困难的
00:58
At Carnegie卡内基 Mellon梅隆, they used to make it
在卡内基梅隆,
01:00
actually其实 pretty漂亮 easy简单 for us
曾经对于我们来说很容易
01:01
to remember记得 our passwords密码.
去记住我们的密码
01:03
The password密码 requirement需求 up through通过 2009
在2009年以前,对于密码的要求
01:05
was just that you had to have a password密码
仅仅是你的密码中
01:07
with at least最小 one character字符.
最少需要一个字母
非常容易,但是他们改变了规则
01:10
Pretty漂亮 easy简单. But then they changed things,
01:12
and at the end结束 of 2009, they announced公布
在2009年末,他们宣布
01:15
that we were going to have a new policy政策,
我们将会有新的规则
01:17
and this new policy政策 required需要
这个新的规则要求
01:19
passwords密码 that were at least最小 eight characters人物 long,
密码至少有8位数长
01:22
with an uppercase大写 letter, lowercase小写 letter,
至少有一个大写字母,一个小写字母
01:24
a digit数字, a symbol符号,
一个数字,一个符号
01:25
you couldn't不能 use the same相同
character字符 more than three times,
你不能用重复使用同一个字符三次
01:28
and it wasn't allowed允许 to be in a dictionary字典.
并且密码不能是字典里的一个单词
01:30
Now, when they implemented实施 this new policy政策,
现在,当这个新的规则被使用后
01:32
a lot of people, my colleagues同事 and friends朋友,
很多人,我的同学,朋友,都跑来找我
01:35
came来了 up to me and they said, "Wow,
他们说:“天哪“
01:36
now that's really unusable不可用.
”这个新的规则真的很难被使用“
01:38
Why are they doing this to us,
“他们为什么要对我们这么做”
01:39
and why didn't you stop them?"
“你为什么不阻止他们呢?”
01:41
And I said, "Well, you know what?
我说:“你知道吗”
01:42
They didn't ask me."
”他们做出这些调整的时候并没有问我“
01:44
But I got curious好奇, and I decided决定 to go talk
但是我对此产生了兴趣
所以我决定去找掌管我们计算机系统的同事聊聊
01:47
to the people in charge收费 of our computer电脑 systems系统
01:49
and find out what led them to introduce介绍
并且知道了他们为什么要引进
01:52
this new policy政策,
这个新的规则
他们说我们学校
01:54
and they said that the university大学
01:55
had joined加盟 a consortium财团 of universities高校,
加入了一个大学联盟
01:58
and one of the requirements要求 of membership
加入这个大学联盟的一个要求
02:00
was that we had to have stronger passwords密码
就是我们要有更安全的密码
02:03
that complied编译过 with some new requirements要求,
这个密码需要符合最新的要求
而这个最新的标准就是
02:05
and these requirements要求 were that our passwords密码
我们的密码需要是一个无序的组合
02:07
had to have a lot of entropy.
02:09
Now entropy is a complicated复杂 term术语,
无序状态是一个很复杂的名词
02:11
but basically基本上 it measures措施 the strength强度 of passwords密码.
但是基本上来说,他是用来衡量密码安全性的标准
02:14
But the thing is, there isn't actually其实
但是问题是
并没有一个标准的方法来测量无序性
02:16
a standard标准 measure测量 of entropy.
02:18
Now, the National国民 Institute研究所
of Standards标准 and Technology技术
现在,国家标准技术局
02:20
has a set of guidelines方针
有一系列的标准
02:22
which哪一个 have some rules规则 of thumb拇指
这些标准中有一些粗略的方法
02:24
for measuring测量 entropy,
用来测量无序性
02:26
but they don't have anything too specific具体,
但是他们并没有很详细的方法
02:29
and the reason原因 they only have rules规则 of thumb拇指
他们只有粗略的方法的原因是
02:31
is it turns out they don't actually其实 have any good data数据
他们事实上并没有很多好的的数据
02:34
on passwords密码.
来研究密码
02:36
In fact事实, their report报告 states状态,
事实上,他们在工作报告中说
02:38
"Unfortunately不幸, we do not have much data数据
”很不幸的是,我们并没有很多关于
02:40
on the passwords密码 users用户
choose选择 under particular特定 rules规则.
用户在一种规则下如何选择密码的数据“
02:43
NISTNIST would like to obtain获得 more data数据
国家标准技术局想要获得更多
02:45
on the passwords密码 users用户 actually其实 choose选择,
关于用户如何选择密码的数据
02:48
but system系统 administrators管理员
are understandably可以理解的 reluctant不情愿
但是系统管理员合情合理的拒绝
02:50
to reveal揭示 password密码 data数据 to others其他."
把密码信息透露给其他人
02:53
So this is a problem问题, but our research研究 group
所以这是一个问题
但我们的研究小组认为这是一个机会
02:56
looked看着 at it as an opportunity机会.
02:58
We said, "Well, there's a need
for good password密码 data数据.
我们认为:”这表明很需要有一个好的密码数据库。”
03:02
Maybe we can collect搜集 some good password密码 data数据
也许我们可以收集一些好的密码数据
03:04
and actually其实 advance提前 the state of the art艺术 here.
并且推进这方面的研究
03:06
So the first thing we did is,
因此,我们要做的第一件事是:
03:08
we got a bag of candy糖果 bars酒吧
我们买了一袋糖
03:10
and we walked around campus校园
走在校园里
03:11
and talked to students学生们, faculty学院 and staff员工,
并且跟同学,教师,员工对话
03:14
and asked them for information信息
所要他们
密码的信息
03:15
about their passwords密码.
03:17
Now we didn't say, "Give us your password密码."
我们并没有说:“把你的密码给我们吧”
03:20
No, we just asked them about their password密码.
我们只是问关于他们密码的信息
03:22
How long is it? Does it have a digit数字?
密码有多长?包含有数字吗?
03:24
Does it have a symbol符号?
有符号吗?
03:25
And were you annoyed懊恼 at having to create创建
你有没有感到恼怒?
因为上周要重新拟定一个密码
03:27
a new one last week?
03:30
So we got results结果 from 470 students学生们,
我们得到了结果从470个学生
老师跟员工
03:33
faculty学院 and staff员工,
03:34
and indeed确实 we confirmed确认 that the new policy政策
事实上我们证实了这个新的规则
03:36
was very annoying恼人的,
很让人讨厌
03:38
but we also found发现 that people said
但与此同时,人们也表示
03:40
they felt more secure安全 with these new passwords密码.
这个这个新的密码更加的安全
03:43
We found发现 that most people knew知道
我们发现大部分人知道
03:45
they were not supposed应该 to
write their password密码 down,
他们不应该把他们的密码写下来
03:47
and only 13 percent百分 of them did,
并且只有13%的人会把密码写下来
03:50
but disturbingly令人不安, 80 percent百分 of people
但是与之矛盾的是
有80%的人会重复使用同一个密码
03:52
said they were reusing重用 their password密码.
03:54
Now, this is actually其实 more dangerous危险
这事实上
比把密码记下来更加的危险
03:56
than writing写作 your password密码 down,
03:58
because it makes品牌 you much
more susceptible易感 to attackers攻击者.
因为这让你更容易被黑客攻击
04:01
So if you have to, write your passwords密码 down,
如果没有别的选择,那么请把你的密码记下来
04:05
but don't reuse重用 them.
而不要重读使用一个密码
04:06
We also found发现 some interesting有趣 things
我们还有一些很有趣的发现
04:08
about the symbols符号 people use in passwords密码.
这些发现跟人们在密码中使用符号有关
04:11
So CMUCMU allows允许 32 possible可能 symbols符号,
卡内基梅隆大学允许使用32个符号,
04:14
but as you can see, there's only a small number
但事实上只有少数几个符号
04:16
that most people are using运用,
被大多数人使用
04:18
so we're not actually其实 getting得到 very much strength强度
因此,事实上
使用符号并没有让我们的密码变得更加安全
04:21
from the symbols符号 in our passwords密码.
04:23
So this was a really interesting有趣 study研究,
因此,这真的是一项很有趣的研究
04:26
and now we had data数据 from 470 people,
现在,我们已经有从470个人那里拿到的数据
04:29
but in the scheme方案 of things,
但整体来说
04:30
that's really not very much password密码 data数据,
这些数据并不是确切的密码的数据
04:33
and so we looked看着 around to see
因此我们还得通过其他方式
04:34
where could we find additional额外 password密码 data数据?
来获取更多的密码数据
04:37
So it turns out there are a lot of people
生活中有很多人
04:39
going around stealing偷窃行为 passwords密码,
窃取他人的密码
04:41
and they often经常 go and post岗位 these passwords密码
他们经常会把这些密码公布
04:43
on the Internet互联网.
在网上
04:45
So we were able能够 to get access访问
因此,我们可以获得一些
04:46
to some of these stolen被盗 password密码 sets.
这种偷来的密码
04:50
This is still not really ideal理想 for research研究, though虽然,
这些数据对于我们的研究来书还不是很完美
04:53
because it's not entirely完全 clear明确
因为我们并不知道
04:55
where all of these passwords密码 came来了 from,
这些密码的来源
04:57
or exactly究竟 what policies政策 were in effect影响
以及这些密码是在什么样的规则下
04:59
when people created创建 these passwords密码.
制定出来的
05:01
So we wanted to find some better source资源 of data数据.
因此我们需要找到一些更好的数据来源
05:05
So we decided决定 that one thing we could do
所以我们觉得我们可以做的是
05:06
is we could do a study研究 and have people
我们可以做一个研究
并且让人们为我们的实验设置密码
05:09
actually其实 create创建 passwords密码 for our study研究.
05:12
So we used a service服务 called
Amazon亚马逊 Mechanical机械 Turk土耳其人,
所以我们就通过使用一个叫做亚马逊机器土耳其人的服务
05:15
and this is a service服务 where you can post岗位
这个服务可以让你在网上公布一些小任务,
05:17
a small job工作 online线上 that takes a minute分钟,
这些任务可能好使一分钟
05:19
a few少数 minutes分钟, an hour小时,
几分钟,一个小时
05:21
and pay工资 people, a penny一分钱, ten cents, a few少数 dollars美元,
我们支付人们一美分,几美分,几美元
05:23
to do a task任务 for you,
来帮助我们完成任务
05:25
and then you pay工资 them through通过 Amazon亚马逊.comCOM.
之后你可以通过亚马逊来支付这些参与者
05:27
So we paid支付 people about 50 cents
我们付大约50美分让
05:29
to create创建 a password密码 following以下 our rules规则
参与者在我们的规则下制定密码
05:32
and answering回答 a survey调查,
并且完成调查问卷
05:33
and then we paid支付 them again to come back
然后当我们会支付他们第二笔钱
05:36
two days later后来 and log日志 in
当他们两天后
用这个密码登录并完成另一份调查问卷
05:38
using运用 their password密码 and answering回答 another另一个 survey调查.
05:40
So we did this, and we collected 5,000 passwords密码,
我们通过这种方式拿到了5000个密码
05:45
and we gave people a bunch of different不同 policies政策
我们给人么不同的规则
来制定密码
05:47
to create创建 passwords密码 with.
05:49
So some people had a pretty漂亮 easy简单 policy政策,
一些人的规则比较简单
05:51
we call it Basic基本8,
我们称它为基础8
05:52
and here the only rule规则 was that your password密码
只有一个规则,就是你的密码
05:55
had to have at least最小 eight characters人物.
必须包含8个字符
05:58
Then some people had a much harder更难 policy政策,
有些人则会有更难的规则
06:00
and this was very similar类似 to the CMUCMU policy政策,
这些规则跟卡内基梅隆大学的规则跟相似
06:03
that it had to have eight characters人物
密码必须由八位数组成
06:05
including包含 uppercase大写, lowercase小写, digit数字, symbol符号,
包含有大写字母,小写字母,数字跟符号
06:07
and pass通过 a dictionary字典 check.
并且可以通过字典检查
06:09
And one of the other policies政策 we tried试着,
我们也试了另外一种规则
06:11
and there were a whole整个 bunch more,
以及许多别的规则
06:12
but one of the ones那些 we tried试着 was called Basic基本16,
其中有一种规则我们称之为基础16
06:14
and the only requirement需求 here
唯一的要求就是
06:17
was that your password密码 had
to have at least最小 16 characters人物.
你的密码必须至少由16个字符组成
06:20
All right, so now we had 5,000 passwords密码,
那么,现在我们已经有5000个密码了
06:23
and so we had much more detailed详细 information信息.
并且我们有了更加具体的信息
06:26
Again we see that there's only a small number
我们再次发现
只有很少数的符号
06:29
of symbols符号 that people are actually其实 using运用
被人们在设定密码的过程中使用
06:31
in their passwords密码.
06:33
We also wanted to get an idea理念 of how strong强大
我们也很想知道
人们设定的密码安全性有多高
06:35
the passwords密码 were that people were creating创建,
06:38
but as you may可能 recall召回, there isn't a good measure测量
但也许你还记的
并没有很好的方法可以用来衡量密码的安全性
06:40
of password密码 strength强度.
06:42
So what we decided决定 to do was to see
因此,我们决定通过
破解密码的时间
06:45
how long it would take to crack裂纹 these passwords密码
06:47
using运用 the best最好 cracking开裂 tools工具
使用最好的解密软件
06:48
that the bad guys are using运用,
那些正在被坏人使用的
06:50
or that we could find information信息 about
或者我们也可以
通过查阅文献来获取相应的信息
06:52
in the research研究 literature文学.
06:54
So to give you an idea理念 of how bad guys
为了让大家更好的了解坏人
06:56
go about cracking开裂 passwords密码,
是如何破解密码的
06:59
they will steal a password密码 file文件
他们会偷一个密码文件
07:01
that will have all of the passwords密码
这个文件有所有的密码
07:03
in kind of a scrambled form形成, called a hash哈希,
无序排列,称为散表
07:06
and so what they'll他们会 do is they'll他们会 make a guess猜测
然后他们开始猜测
07:08
as to what a password密码 is,
密码会是什么
07:10
run it through通过 a hashing散列 function功能,
通过运行哈希函数
07:12
and see whether是否 it matches火柴
来看这个密码
跟密码清单上的密码能否相对应
07:14
the passwords密码 they have on
their stolen被盗 password密码 list名单.
07:18
So a dumb attacker攻击者 will try every一切 password密码 in order订购.
一个笨的黑客会按照顺序试每一种密码
07:21
They'll他们会 start开始 with AAAAAAAAAA and move移动 on to AAAABAAAAB,
他们会从AAAAA开始,然后AAAAB
07:24
and this is going to take a really long time
这种方法会消耗很长的时间
07:27
before they get any passwords密码
直到他们找到
07:28
that people are really likely容易 to actually其实 have.
那些人们真正会使用的密码
07:31
A smart聪明 attacker攻击者, on the other hand,
然而,一个聪明的黑客
07:33
does something much more clever聪明.
会使用更加明智的方法
07:34
They look at the passwords密码
他们观察这些密码
07:36
that are known已知 to be popular流行
找出那些最受欢迎的组合
07:38
from these stolen被盗 password密码 sets,
从偷来的密码清单上
07:40
and they guess猜测 those first.
他们会先试这些受欢迎的密码
07:41
So they're going to start开始 by guessing揣测 "password密码,"
所以他们会先猜 “密码",
07:43
and then they'll他们会 guess猜测 "I love you," and "monkey,"
然后 ”我爱你" ,然后”猴子”
07:46
and "12345678,"
"12345678"
因为这些密码
07:48
because these are the passwords密码
07:50
that are most likely容易 for people to have.
是最常被人们使用的
07:52
In fact事实, some of you probably大概 have these passwords密码.
事实上,很有可能在座的各位中也有人使用这样的密码
07:57
So what we found发现
因此我们发现
通过破解我们在这个试验中收集到的5000个密码
07:58
by running赛跑 all of these 5,000 passwords密码 we collected
08:01
through通过 these tests测试 to see how strong强大 they were,
来判断这些密码的安全性
08:06
we found发现 that the long passwords密码
我们发现长密码
的安全性很高
08:08
were actually其实 pretty漂亮 strong强大,
08:10
and the complex复杂 passwords密码 were pretty漂亮 strong强大 too.
并且那些复杂组合密码的安全性也很高
08:13
However然而, when we looked看着 at the survey调查 data数据,
然而,当我们分析调查问卷的数据
08:15
we saw that people were really frustrated受挫
我们发现人们
对于复杂组合的密码感到沮丧
08:18
by the very complex复杂 passwords密码,
08:21
and the long passwords密码 were a lot more usable可用,
而那些长的密码反而实用性更高
08:23
and in some cases, they were actually其实
在某种情况下,长密码
08:25
even stronger than the complex复杂 passwords密码.
比复杂组合密码的安全性反而更高
由此我们得出结论
08:27
So this suggests提示 that,
08:29
instead代替 of telling告诉 people that they need
与其让人们把
08:30
to put all these symbols符号 and numbers数字
各种符号,数字
08:32
and crazy things into their passwords密码,
以及各种疯狂的元素加入他们的密码
08:35
we might威力 be better off just telling告诉 people
还不如就让他们
08:37
to have long passwords密码.
制定更长的密码
08:39
Now here's这里的 the problem问题, though虽然:
然后问题出现了:
08:41
Some people had long passwords密码
有一些人的长密码
08:43
that actually其实 weren't very strong强大.
并不是很安全
08:45
You can make long passwords密码
你可以制定很长的密码,
08:47
that are still the sort分类 of thing
但是这些密码
08:49
that an attacker攻击者 could easily容易 guess猜测.
还是很容易被黑客猜到
08:50
So we need to do more than
just say long passwords密码.
因此紧紧要求密码的长度是不够的
我们还需要一些其它的要求
08:54
There has to be some additional额外 requirements要求,
08:56
and some of our ongoing不断的 research研究 is looking at
一些我们目前正在做的研究
就是想要找出这些额外的要求
08:59
what additional额外 requirements要求 we should add
09:01
to make for stronger passwords密码
让密码更加安全
09:03
that also are going to be easy简单 for people
并且这些要求得让人们
09:05
to remember记得 and type类型.
觉得很容易记忆跟输入
09:08
Another另一个 approach途径 to getting得到 people to have
另一个让人们有
更安全的密码的方法就是用密码尺
09:10
stronger passwords密码 is to use a password密码 meter仪表.
09:12
Here are some examples例子.
这里有一些例子
09:14
You may可能 have seen看到 these on the Internet互联网
你也许在网上已经见过了
09:15
when you were creating创建 passwords密码.
当你设定密码的时候
09:18
We decided决定 to do a study研究 to find out
我们决定通过一个实验来判断
09:21
whether是否 these password密码 meters actually其实 work.
这些密码尺是否有效
09:23
Do they actually其实 help people
他能不能真正的帮助人们
09:25
have stronger passwords密码,
设定更为安全的密码
09:26
and if so, which哪一个 ones那些 are better?
如果可以的话,哪一种密码尺更为有效
09:28
So we tested测试 password密码 meters that were
因此,我们检测了
09:31
different不同 sizes大小, shapes形状, colors颜色,
不同尺寸,形状,颜色
不同描述语言的密码尺
09:33
different不同 words next下一个 to them,
09:34
and we even tested测试 one that was a dancing跳舞 bunny兔子.
我们甚至还检测了一种像跳舞的兔子的密码尺
09:38
As you type类型 a better password密码,
当你输入一个很好的密码的时候
09:39
the bunny兔子 dances舞蹈 faster更快 and faster更快.
兔子会跳的越来越快
09:42
So this was pretty漂亮 fun开玩笑.
所以这种密码尺很有趣
09:44
What we found发现
我们发现
09:46
was that password密码 meters do work.
这些密码尺确实有用
(笑声)
09:49
(Laughter笑声)
09:51
Most of the password密码 meters were actually其实 effective有效,
大多数的密码尺是有效的
跳舞的兔子尤其的有效
09:55
and the dancing跳舞 bunny兔子 was very effective有效 too,
09:57
but the password密码 meters that were the most effective有效
但最有效的密码尺
10:00
were the ones那些 that made制作 you work harder更难
是让你更努力的工作
10:02
before they gave you that thumbs大拇指 up and said
直到他竖起大拇指跟你说
你做的很棒
10:04
you were doing a good job工作,
10:06
and in fact事实 we found发现 that most
但事实上,我们发现
10:07
of the password密码 meters on the Internet互联网 today今天
目前网络上现有的密码尺
都太温柔了
10:10
are too soft柔软的.
10:10
They tell you you're doing a good job工作 too early,
他们都太早告诉你,你做的很好
10:13
and if they would just wait a little bit
如果他们可以晚一些
10:15
before giving you that positive feedback反馈,
给你正面的回应
10:17
you probably大概 would have better passwords密码.
你很有可能可以设定更安全的密码
10:20
Now another另一个 approach途径 to better passwords密码, perhaps也许,
设立更好的密码的另一种方法
也许是使用词汇密码而不是密码
10:24
is to use pass通过 phrases短语 instead代替 of passwords密码.
这是很多年前的一个xkcd动画
10:27
So this was an xkcdXKCD cartoon动画片
from a couple一对 of years年份 ago,
10:30
and the cartoonist漫画家 suggests提示
动漫家们暗示
10:32
that we should all use pass通过 phrases短语,
我们都应该使用词汇密码
10:34
and if you look at the second第二 row of this cartoon动画片,
如果你看这个卡通的第二排
10:37
you can see the cartoonist漫画家 is suggesting提示
你会发现这些动漫家建议
10:39
that the pass通过 phrase短语 "correct正确 horse battery电池 staple钉书针"
词汇密码“正确马电池枫叶"
10:42
would be a very strong强大 pass通过 phrase短语
的安全性很高
10:45
and something really easy简单 to remember记得.
并且很容易被记住
10:47
He says, in fact事实, you've already已经 remembered记得 it.
他们认为,事实上你已经记住了
10:50
And so we decided决定 to do a research研究 study研究
因此我们决定做一项研究
10:52
to find out whether是否 this was true真正 or not.
来证明这是不是真的
10:54
In fact事实, everybody每个人 who I talk to,
事实上,跟我对话的每一个人
10:56
who I mention提到 I'm doing password密码 research研究,
那些我告诉他们我是做密码研究的人
10:58
they point out this cartoon动画片.
他们都提到了这个动画
10:59
"Oh, have you seen看到 it? That xkcdXKCD.
”你看过那个动画吗?那个xkcd“
11:01
Correct正确 horse battery电池 staple钉书针."
“正确马电池枫叶”
11:03
So we did the research研究 study研究 to see
因此我们做了一项研究看
11:04
what would actually其实 happen发生.
到底会发生什么
11:07
So in our study研究, we used Mechanical机械 Turk土耳其人 again,
我们使用亚马逊机器土耳其人来做这个研究
11:10
and we had the computer电脑 pick the random随机 words
我们让电脑随机挑选一些
11:14
in the pass通过 phrase短语.
过去式的单词
11:15
Now the reason原因 we did this
我们这样做的原因是
11:16
is that humans人类 are not very good
人们并不擅长
11:18
at picking选择 random随机 words.
随机挑选单词
11:19
If we asked a human人的 to do it,
如果我让一个人去选单词
11:21
they would pick things that were not very random随机.
他们选出的单词不会是随机的
11:24
So we tried试着 a few少数 different不同 conditions条件.
因此我们试了不同的条件。
11:26
In one condition条件, the computer电脑 picked采摘的
在一种条件下,
电脑从一本字典中选出一些非常常用的
11:28
from a dictionary字典 of the very common共同 words
11:30
in the English英语 language语言,
英文单词
11:31
and so you'd get pass通过 phrases短语 like
因此你会得到密码词汇像
11:33
"try there three come."
“试那里三来"
11:35
And we looked看着 at that, and we said,
我们看着这些词汇说,
11:37
"Well, that doesn't really seem似乎 very memorable难忘."
‘这看上去并不是很容易被记住。”
11:40
So then we tried试着 picking选择 words
然后我们尝试
11:42
that came来了 from specific具体 parts部分 of speech言语,
从日常对话中挑选词汇
11:44
so how about noun-verb-adjective-noun名词 - 动词 - 形容词 - 名词.
像名词-动词-形容词-名词的组合。
11:47
That comes up with something
that's sort分类 of sentence-like一句话样.
这会让出现的单词更像句子
11:49
So you can get a pass通过 phrase短语 like
这样你会得到像这样的词汇密码
11:51
"plan计划 builds建立 sure power功率"
“计划建设肯定的权利"
11:53
or "end结束 determines确定 red drug药物."
或者 ”结局决定红色的药。“
这些组合看上去更容易被记住
11:55
And these seemed似乎 a little bit more memorable难忘,
11:58
and maybe people would like those a little bit better.
人们也许会更喜欢这样的密码
12:01
We wanted to compare比较 them with passwords密码,
我们想把这样的密码词汇更普通的密码做比较
12:03
and so we had the computer电脑
pick random随机 passwords密码,
因此我们让电脑随机挑选密码
12:07
and these were nice不错 and short, but as you can see,
这些密码都很好很短
12:09
they don't really look very memorable难忘.
但你会发现他们并不好记忆
12:11
And then we decided决定 to try something called
然后我们决定尝试一种叫做
12:13
a pronounceable拼读 password密码.
可以发声的密码
12:14
So here the computer电脑 picks精选 random随机 syllables音节
电脑挑选随机的音节
12:17
and puts看跌期权 them together一起
把他们组合在一起
12:18
so you have something sort分类 of pronounceable拼读,
这样你就有了一些可以发声的密码
12:20
like "tufritvitufritvi" and "vadasabivadasabi."
像”tufritvi" 和“vadasabi.’
12:23
That one kind of rolls劳斯莱斯 off your tongue.
这些密码像是在挑战你的舌头
因此这些密码
12:25
So these were random随机 passwords密码 that were
12:27
generated产生 by our computer电脑.
是计算机为我们设定的
12:30
So what we found发现 in this study研究 was that, surprisingly出奇,
很惊讶的是,我们从这项试验中发现
12:33
pass通过 phrases短语 were not actually其实 all that good.
密码词汇并没有想象中那么好
12:37
People were not really better at remembering记忆
跟普通密码相比,人们并没有更好的记住
12:40
the pass通过 phrases短语 than these random随机 passwords密码,
这些词汇密码
12:43
and because the pass通过 phrases短语 are longer,
并且由于词汇密码更长
12:45
they took longer to type类型
会花更长的时间来输入
12:47
and people made制作 more errors错误 while typing打字 them in.
这会让人们打字的时候犯更多的错误
12:50
So it's not really a clear明确 win赢得 for pass通过 phrases短语.
因此词汇密码并没有明显的优势
12:53
Sorry, all of you xkcdXKCD fans球迷.
对于那些xkcd粉丝来说,这项结果真的很遗憾
12:56
On the other hand, we did find
另一方面,我们发现
12:58
that pronounceable拼读 passwords密码
那些可发声密码
13:00
worked工作 surprisingly出奇 well,
非常的有效
13:01
and so we actually其实 are doing some more research研究
因此,我们做了更多的研究
13:04
to see if we can make that
approach途径 work even better.
是的这种方法可以更好的运作
13:07
So one of the problems问题
有一个问题
13:09
with some of the studies学习 that we've我们已经 doneDONE
存在于我们做的一些实验中
13:10
is that because they're all doneDONE
那就是这些实验都
13:12
using运用 Mechanical机械 Turk土耳其人,
是通过机器土耳其人做的
13:14
these are not people's人们 real真实 passwords密码.
这些密码不是人们日常生活中会用的密码
13:15
They're the passwords密码 that they created创建
这些密码是人们
13:18
or the computer电脑 created创建 for them for our study研究.
或者是计算机为了我们的实验而设立的
13:20
And we wanted to know whether是否 people
而我们很想知道
人们会不会用同样的方式来制定密码
13:22
would actually其实 behave表现 the same相同 way
13:24
with their real真实 passwords密码.
在日常生活中
13:26
So we talked to the information信息
security安全 office办公室 at Carnegie卡内基 Mellon梅隆
因此我们跟卡内基梅隆大学信息安全中心的人对话
13:30
and asked them if we could
have everybody's每个人的 real真实 passwords密码.
问他们我们能不能拿到所有人的真实密码
13:34
Not surprisingly出奇, they were a little bit reluctant不情愿
不出意外,他们不愿意
13:35
to share分享 them with us,
把这些信息跟我们分享
13:37
but we were actually其实 able能够 to work out
但我们事实上找到了一种
13:39
a system系统 with them
跟他们合作的方法
13:40
where they put all of the real真实 passwords密码
他们把
学校25000名学生,老师,员工的密码
13:42
for 25,000 CMUCMU students学生们, faculty学院 and staff员工,
13:45
into a locked锁定 computer电脑 in a locked锁定 room房间,
放进一台带锁的电脑,在一个带锁的房间里
13:47
not connected连接的 to the Internet互联网,
没有网络
13:49
and they ran code on it that we wrote
他们在那台电脑上运行我们所写的程序
13:51
to analyze分析 these passwords密码.
来分析这些密码
13:53
They audited审计 our code.
他们审查了我们的代码
13:54
They ran the code.
并且运行它
13:55
And so we never actually其实 saw
因此,我们事实上并没有
13:57
anybody's任何人的 password密码.
看见任何人的密码
14:00
We got some interesting有趣 results结果,
我们得到了一些有趣的结果
14:02
and those of you Tepper泰珀 students学生们 in the back
那些坐在后排的Tepper的同学们
14:03
will be very interested有兴趣 in this.
会对这个结果很感兴趣
14:06
So we found发现 that the passwords密码 created创建
我们发现
计算机专业的同学所设立的密码
14:10
by people affiliated附属 with the
school学校 of computer电脑 science科学
14:12
were actually其实 1.8 times stronger
要安全1.8倍
比商学院的同学
14:14
than those affiliated附属 with the business商业 school学校.
14:18
We have lots of other really interesting有趣
我们有很多其它非常有趣的
14:20
demographic人口 information信息 as well.
地域性发现
14:22
The other interesting有趣 thing that we found发现
另一项有趣的发现是
14:24
is that when we compared相比
the Carnegie卡内基 Mellon梅隆 passwords密码
通过对比卡内基梅隆的密码
14:27
to the Mechanical机械 Turk-generated土耳其人生成 passwords密码,
跟机器土耳其人产生的密码
14:29
there was actually其实 a lot of similarities相似之处,
他们有很多的相似性
因此这可以验证我们的实验方法
14:31
and so this helped帮助 validate验证 our research研究 method方法
14:33
and show显示 that actually其实, collecting搜集 passwords密码
证实事实上
通过土耳其机器人
14:36
using运用 these Mechanical机械 Turk土耳其人 studies学习
收集密码的方法是有效的
14:38
is actually其实 a valid有效 way to study研究 passwords密码.
14:41
So that was good news新闻.
这是一个好消息
14:43
Okay, I want to close by talking about
最后,我想谈一谈
14:45
some insights见解 I gained获得 while on sabbatical休假
我的一些感想,来源于
14:47
last year in the Carnegie卡内基 Mellon梅隆 art艺术 school学校.
去年在卡内基梅隆艺术学院休假
当时我做的一件事情就是
14:51
One of the things that I did
14:52
is I made制作 a number of quilts棉被,
我做了很多的被子
14:53
and I made制作 this quilt被子 here.
我也在这里做了很多被子
14:55
It's called "Security安全 Blanket."
这些被子叫做”安全毯“
14:57
(Laughter笑声)
(笑声)
14:59
And this quilt被子 has the 1,000
这条被子由1000个
15:02
most frequent频繁 passwords密码 stolen被盗
最常被盗的密码组成
这些密码来自于RockYou网站
15:05
from the RockYouRockYou的 website网站.
15:07
And the size尺寸 of the passwords密码 is proportional成比例的
密码的大小跟
15:09
to how frequently经常 they appeared出现
他被盗的平率成正比
15:11
in the stolen被盗 dataset数据集.
在被盗密码数据库中
15:13
And what I did is I created创建 this word cloud,
我创建了这个单词库
15:16
and I went through通过 all 1,000 words,
然后我给这1000个单词
15:18
and I categorized分类 them into
进行分进
15:20
loose疏松 thematic专题 categories类别.
不是很严格的主题类别中
15:22
And it was, in some cases,
一些情况下
15:24
it was kind of difficult to figure数字 out
很难判断
一些单词应该被分入哪个类别中
15:26
what category类别 they should be in,
15:28
and then I color-coded颜色编码 them.
然后我用不同的颜色标记他们
15:30
So here are some examples例子 of the difficulty困难.
这里是一些很难被分类的单词的列子
15:33
So "justin贾斯汀."
比如说 “贾斯丁"
15:34
Is that the name名称 of the user用户,
是用户的名字?
15:36
their boyfriend男朋友, their son儿子?
男朋友的名字?还是儿子的名字?
15:37
Maybe they're a Justin贾斯汀 Bieber比伯 fan风扇.
也有可能他是贾斯丁比伯的粉丝
15:40
Or "princess公主."
或者说 ”公主“
15:42
Is that a nickname昵称?
是一个外号?
15:44
Are they Disney迪士尼 princess公主 fans球迷?
还是用户是迪斯尼公主的粉丝?
15:45
Or maybe that's the name名称 of their cat.
也有可能是他们猫的名字
15:49
"Iloveyou我爱你" appears出现 many许多 times
”我爱你"经常会被用到
15:51
in many许多 different不同 languages语言.
不同的语言
15:52
There's a lot of love in these passwords密码.
在密码中会有很多“爱”
15:56
If you look carefully小心, you'll你会 see there's also
如果你仔细观察,你还会发现
15:58
some profanity亵渎,
密码中有很多的脏话
16:00
but it was really interesting有趣 to me to see
但是有一个发现很有趣
16:02
that there's a lot more love than hate讨厌
爱比恨要多很多
在密码中
16:04
in these passwords密码.
16:06
And there are animals动物,
密码中还会有动物
16:08
a lot of animals动物,
很多的动物
16:09
and "monkey" is the most common共同 animal动物
猴子是最常见的动物
16:12
and the 14th most popular流行 password密码 overall总体.
是第14个最受欢饮的密码
16:15
And this was really curious好奇 to me,
我对这个发现非常的好奇
16:17
and I wondered想知道, "Why are monkeys猴子 so popular流行?"
我好奇为什么猴子会那么的受欢迎?
16:20
And so in our last password密码 study研究,
因此,在我们最近的一项密码研究中
16:23
any time we detected检测 somebody
每次我们发现有人
16:25
creating创建 a password密码 with the word "monkey" in it,
在他们的密码中用到猴子的时候
16:28
we asked them why they had
a monkey in their password密码.
我们会问他们为什么他会用猴子
16:31
And what we found发现 out --
结果我们发现
16:33
we found发现 17 people so far, I think,
在我们目前发现的17个
16:35
who have the word "monkey" --
用猴子做密码的人中
16:36
We found发现 out about a third第三 of them said
有三分之一的人说
16:38
they have a pet宠物 named命名 "monkey"
他们有一个宠物叫猴子
16:39
or a friend朋友 whose谁的 nickname昵称 is "monkey,"
有一个朋友的外号叫猴子
16:42
and about a third第三 of them said
另外三分之一的人说
16:43
that they just like monkeys猴子
他们只是很喜欢猴子
16:45
and monkeys猴子 are really cute可爱.
他们觉得猴子很可爱
16:47
And that guy is really cute可爱.
或者那个朋友很可爱
16:50
So it seems似乎 that at the end结束 of the day,
所以看来,在一天的最后
在我们制定密码的时候
16:54
when we make passwords密码,
16:55
we either make something that's really easy简单
我们要么会用一些容易
16:57
to type类型, a common共同 pattern模式,
输入的东西,一些常用组合
17:00
or things that remind提醒 us of the word password密码
或者是一些可以让我想起密码的事物
17:03
or the account帐户 that we've我们已经 created创建 the password密码 for,
或者是我们制定密码的账户
17:06
or whatever随你.
或者是任何事
17:09
Or we think about things that make us happy快乐,
或者是那些会让我们想起来开心的事物
17:11
and we create创建 our password密码
我们设定密码
17:13
based基于 on things that make us happy快乐.
基于那些让我们开心的事物
17:15
And while this makes品牌 typing打字
这让我们输入
17:18
and remembering记忆 your password密码 more fun开玩笑,
跟记忆密码变得更为有趣
17:21
it also makes品牌 it a lot easier更轻松
这也使得窃取密码的人更容易
17:23
to guess猜测 your password密码.
猜到你的密码
17:24
So I know a lot of these TEDTED Talks会谈
我知道跟多TED谈话的内容
17:26
are inspirational励志
都非常的激发人们的灵感
17:27
and they make you think about nice不错, happy快乐 things,
他们让你们想到美好开心的事
17:30
but when you're creating创建 your password密码,
但是当你设定你密码的时候
17:32
try to think about something else其他.
试着想一些别的事情
17:34
Thank you.
谢谢
17:35
(Applause掌声)
Translated by FBC Global
Reviewed by Xinhui Wang

▲Back to top

About the speaker:

Lorrie Faith Cranor - Security researcher
At Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online.

Why you should listen

Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, phishing, spam, electronic voting, anonymous publishing, and other topics.

Cranor plays a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P. She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review.

More profile about the speaker
Lorrie Faith Cranor | Speaker | TED.com