TEDxCMU
Lorrie Faith Cranor: What’s wrong with your pa$$w0rd?
羅蕊·奎諾: 你的密碼出了什麼問題?
Filmed:
Readability: 4.5
1,566,161 views
羅蕊·奎諾研究上千個密碼來了解人們以及安全網站在設立密碼時常犯的錯誤。你也許會問:她取得這些真實密碼的同時是否累及使用者的安全?這份秘密資料十分值得了解,尤其適合密碼為123456的人。
Lorrie Faith Cranor - Security researcher
At Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online. Full bio
At Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online. Full bio
Double-click the English transcript below to play the video.
00:12
I am a computer science and engineering
professor here at Carnegie Mellon,
professor here at Carnegie Mellon,
0
535
3445
我是卡內基美隆大學(Carnegie Mellon)
電腦科學及工程的教授
電腦科學及工程的教授
00:15
and my research focuses on
usable privacy and security,
usable privacy and security,
1
3980
4248
我研究的專長是有用的隱私權和安全性
00:20
and so my friends like to give me examples
2
8228
2768
所以我的朋友們喜歡提供我一些例子
00:22
of their frustrations with computing systems,
3
10996
2202
使用電腦系統時遇到的挫折
00:25
especially frustrations related to
4
13198
3354
尤其是
00:28
unusable privacy and security.
5
16552
4112
碰到不能用的隱私權和安全性
00:32
So passwords are something that I hear a lot about.
6
20664
2711
密碼就是常見的例子
00:35
A lot of people are frustrated with passwords,
7
23375
2880
很多人對密碼設定感到挫折
00:38
and it's bad enough
8
26255
1694
尤其是
00:39
when you have to have one really good password
9
27949
2644
當你需要一組很好用的密碼
00:42
that you can remember
10
30593
1822
你自己記得住
00:44
but nobody else is going to be able to guess.
11
32415
2894
但沒人猜的到
00:47
But what do you do when you have accounts
12
35309
1637
但當你好幾個帳戶
00:48
on a hundred different systems
13
36946
1808
都在不同的系統環境上
00:50
and you're supposed to have a unique password
14
38754
2276
而每個帳戶都要有個獨特的密碼
00:53
for each of these systems?
15
41030
3037
你要怎麼辦呢?
00:56
It's tough.
16
44067
2184
那不容易
00:58
At Carnegie Mellon, they used to make it
17
46251
1759
卡內基美隆大學
01:00
actually pretty easy for us
18
48010
1299
過去設定密碼很簡單
01:01
to remember our passwords.
19
49309
1737
我們很容易記住
01:03
The password requirement up through 2009
20
51046
2403
到2009年以前
01:05
was just that you had to have a password
21
53449
2379
密碼設定只要求
01:07
with at least one character.
22
55828
2211
至少一個字元
01:10
Pretty easy. But then they changed things,
23
58039
2888
非常簡單 但後來他們改變了規則
01:12
and at the end of 2009, they announced
24
60927
2670
到了2009年底
01:15
that we were going to have a new policy,
25
63597
2376
他們公布了一項新規定
01:17
and this new policy required
26
65973
1863
新規定要求
01:19
passwords that were at least eight characters long,
27
67836
2681
密碼至少要有八個字元
01:22
with an uppercase letter, lowercase letter,
28
70517
1775
包括一個大寫字母 一個小寫字母
01:24
a digit, a symbol,
29
72292
1288
一個數字 一個符號
01:25
you couldn't use the same
character more than three times,
character more than three times,
30
73580
2638
相同字元不能超過三次
01:28
and it wasn't allowed to be in a dictionary.
31
76218
2434
不可是字典查得到的
01:30
Now, when they implemented this new policy,
32
78652
2182
現在他們實施新規定
01:32
a lot of people, my colleagues and friends,
33
80834
2310
我的同事 朋友 還有很多人
01:35
came up to me and they said, "Wow,
34
83144
1854
告訴我 說: 哇
01:36
now that's really unusable.
35
84998
1512
現在真的變得好難用
01:38
Why are they doing this to us,
36
86510
1193
他們為何這麼做
01:39
and why didn't you stop them?"
37
87703
1711
妳怎麼不阻止他們?
01:41
And I said, "Well, you know what?
38
89414
1356
我說: 你知道嗎?
01:42
They didn't ask me."
39
90770
1508
他們沒問我
01:44
But I got curious, and I decided to go talk
40
92278
3465
可我也很好奇 所以決定要跟那些
01:47
to the people in charge of our computer systems
41
95743
1937
管理我們電腦系統的人談談
01:49
and find out what led them to introduce
42
97680
2831
了解到底什麼原因
01:52
this new policy,
43
100511
1848
讓他們導入這新政策
01:54
and they said that the university
44
102359
1584
他們說卡內基美隆大學
01:55
had joined a consortium of universities,
45
103943
2366
加入了大學聯盟
01:58
and one of the requirements of membership
46
106309
2634
成為會員的條件包括
02:00
was that we had to have stronger passwords
47
108943
2248
提高密碼的安全性
02:03
that complied with some new requirements,
48
111191
2272
好符合新的規定
02:05
and these requirements were that our passwords
49
113463
2104
新規定要求密碼
02:07
had to have a lot of entropy.
50
115567
1604
必須要有很多熵值
02:09
Now entropy is a complicated term,
51
117171
2278
現在這熵值是個很複雜的名詞
02:11
but basically it measures the strength of passwords.
52
119449
2798
基本上它可衡量密碼的強度
02:14
But the thing is, there isn't actually
53
122247
1979
可事實上
02:16
a standard measure of entropy.
54
124226
1949
熵值沒有衡量的標準
02:18
Now, the National Institute
of Standards and Technology
of Standards and Technology
55
126175
2399
現在 國家標準與技術研究所
02:20
has a set of guidelines
56
128574
1553
有整套指引
02:22
which have some rules of thumb
57
130127
2568
指引裡有一些經驗法則
02:24
for measuring entropy,
58
132695
1440
用於測量熵值
02:26
but they don't have anything too specific,
59
134135
2895
但他們沒有什麼太具體的東西
02:29
and the reason they only have rules of thumb
60
137030
2337
他們會只有經驗法則
02:31
is it turns out they don't actually have any good data
61
139367
3136
因為他們其實沒有很精確的
02:34
on passwords.
62
142503
1520
密碼數據
02:36
In fact, their report states,
63
144023
2312
實際上他們的報告指出:
02:38
"Unfortunately, we do not have much data
64
146335
2328
不幸的是我們數據不多
02:40
on the passwords users
choose under particular rules.
choose under particular rules.
65
148663
2842
特別是 密碼使用者在特定規則下選擇密碼
02:43
NIST would like to obtain more data
66
151505
2333
NIST想獲得更多
02:45
on the passwords users actually choose,
67
153838
2462
使用者選擇密碼的資料
02:48
but system administrators
are understandably reluctant
are understandably reluctant
68
156300
2463
但系統管理員當然不願意
02:50
to reveal password data to others."
69
158763
2940
透露密碼資料給其他人
02:53
So this is a problem, but our research group
70
161703
3097
所以這是個問題 但我們的研究小組
02:56
looked at it as an opportunity.
71
164800
2140
視它作為一個機會
02:58
We said, "Well, there's a need
for good password data.
for good password data.
72
166940
3100
我們說 好的密碼資料是有必要的
03:02
Maybe we can collect some good password data
73
170040
2148
也許我們可以收集一些好的密碼資料
03:04
and actually advance the state of the art here.
74
172188
2704
有助於提昇技術現況
03:06
So the first thing we did is,
75
174892
1672
所以 我們做的第一件事是
03:08
we got a bag of candy bars
76
176564
1556
我們拿了一包糖果
03:10
and we walked around campus
77
178120
1086
在校園裡
03:11
and talked to students, faculty and staff,
78
179206
2798
跟學生 教師和工作人員解釋
03:14
and asked them for information
79
182004
1530
並跟他們要求取得
03:15
about their passwords.
80
183534
1552
關於他們設定密碼的資訊
03:17
Now we didn't say, "Give us your password."
81
185086
3004
我們並不是說 請給我們您的密碼
03:20
No, we just asked them about their password.
82
188090
2661
我們只是詢問
03:22
How long is it? Does it have a digit?
83
190751
1478
他們的密碼多長?有一個數字嗎?
03:24
Does it have a symbol?
84
192229
1068
有一個符號嗎?
03:25
And were you annoyed at having to create
85
193297
2045
上星期要重設的新密碼
03:27
a new one last week?
86
195342
2744
會不會讓你覺得很煩?
03:30
So we got results from 470 students,
87
198086
3206
因此 我們得到了來自470位
03:33
faculty and staff,
88
201292
971
學生 教師和工作人員的回饋
03:34
and indeed we confirmed that the new policy
89
202263
2514
事實上我們也證實了新的政策
03:36
was very annoying,
90
204777
1453
實在令人討厭
03:38
but we also found that people said
91
206230
1792
但我們也發現 有人說
03:40
they felt more secure with these new passwords.
92
208022
3130
他們認為這些新密碼更安全
03:43
We found that most people knew
93
211152
2306
我們發現大多數人都知道
03:45
they were not supposed to
write their password down,
write their password down,
94
213458
2152
不應該把密碼寫下來
03:47
and only 13 percent of them did,
95
215610
2391
而其中只有13%的人有把密碼寫下來
03:50
but disturbingly, 80 percent of people
96
218001
2416
但令人不安的是
03:52
said they were reusing their password.
97
220417
2124
80%的人表示他們重複使用他們的密碼
03:54
Now, this is actually more dangerous
98
222541
1796
這其實比寫下密碼
03:56
than writing your password down,
99
224337
2022
來得更危險
03:58
because it makes you much
more susceptible to attackers.
more susceptible to attackers.
100
226359
3561
因為你更容易受到駭客攻擊
04:01
So if you have to, write your passwords down,
101
229920
3118
所以 必要時寫下密碼
04:05
but don't reuse them.
102
233038
1799
但不要重複使用
04:06
We also found some interesting things
103
234837
1751
我們還發現了一些有趣的事情
04:08
about the symbols people use in passwords.
104
236588
2961
關於密碼中的符號
04:11
So CMU allows 32 possible symbols,
105
239549
2799
CMU允許使用的符號有32個
04:14
but as you can see, there's only a small number
106
242348
2433
但正如你所見 只有少數符號
04:16
that most people are using,
107
244781
1802
常常被使用
04:18
so we're not actually getting very much strength
108
246583
2941
所以實際上 我們密碼也沒有變得更強
04:21
from the symbols in our passwords.
109
249524
2466
因為密碼裡有了符號
04:23
So this was a really interesting study,
110
251990
2711
這是一個非常有趣的研究
04:26
and now we had data from 470 people,
111
254701
2464
現在我們有470人的資料
04:29
but in the scheme of things,
112
257165
1305
但對這項計劃而言
04:30
that's really not very much password data,
113
258470
2580
這些數據不算多
04:33
and so we looked around to see
114
261050
1445
所以我們想周圍
04:34
where could we find additional password data?
115
262495
2560
那裡可以找到更多密碼資料?
04:37
So it turns out there are a lot of people
116
265055
2176
後來我們發現 原來有很多人
04:39
going around stealing passwords,
117
267231
2202
到處去竊取密碼
04:41
and they often go and post these passwords
118
269433
2477
然後在網路上
04:43
on the Internet.
119
271910
1337
發佈這些密碼
04:45
So we were able to get access
120
273247
1673
我們取得
04:46
to some of these stolen password sets.
121
274920
3970
其中一些被盜的密碼
04:50
This is still not really ideal for research, though,
122
278890
2328
雖然這對研究來說不是很理想
04:53
because it's not entirely clear
123
281218
2037
因為我們不清楚
04:55
where all of these passwords came from,
124
283255
2184
這些密碼從哪裡來
04:57
or exactly what policies were in effect
125
285439
2242
還是他們設密碼時
04:59
when people created these passwords.
126
287681
2108
採取了什麼樣的策略
05:01
So we wanted to find some better source of data.
127
289789
3552
因此 我們希望找到
較好的資料來源
較好的資料來源
05:05
So we decided that one thing we could do
128
293341
1634
所以我們發現可以做一件事
05:06
is we could do a study and have people
129
294975
2129
我們打算展開研究計畫
05:09
actually create passwords for our study.
130
297104
3240
讓人們實際來設定密碼
05:12
So we used a service called
Amazon Mechanical Turk,
Amazon Mechanical Turk,
131
300344
2821
我們使用了"亞馬遜機器游牧民族"提供的服務
05:15
and this is a service where you can post
132
303165
2334
這是一種群眾外包服務平台
05:17
a small job online that takes a minute,
133
305499
2304
在那裡 你可以張貼微型線上工作資訊
05:19
a few minutes, an hour,
134
307803
1500
只需要幾分種 一小時就能完成
05:21
and pay people, a penny, ten cents, a few dollars,
135
309303
2584
然後付些錢
05:23
to do a task for you,
136
311887
1346
給幫你完成工作的人
05:25
and then you pay them through Amazon.com.
137
313233
2122
然後透過Amazon.com付費給他們
05:27
So we paid people about 50 cents
138
315355
2294
我們一共付了約50分美元
05:29
to create a password following our rules
139
317649
2596
讓人根據我們的規則 設立密碼
05:32
and answering a survey,
140
320245
1410
並回答問卷
05:33
and then we paid them again to come back
141
321655
2525
然後 再付給他們一筆錢
請他們兩天後回來
請他們兩天後回來
05:36
two days later and log in
142
324180
2071
用他們的密碼登錄
05:38
using their password and answering another survey.
143
326251
2574
再回答另一份問卷
05:40
So we did this, and we collected 5,000 passwords,
144
328825
4464
就這樣我們收集了5,000個密碼
05:45
and we gave people a bunch of different policies
145
333289
2695
要求他們依不同規則
05:47
to create passwords with.
146
335984
1508
設立密碼
05:49
So some people had a pretty easy policy,
147
337492
1910
有些人的規則很簡單
05:51
we call it Basic8,
148
339402
1539
我們叫它Basic8
05:52
and here the only rule was that your password
149
340941
2146
它只要求
05:55
had to have at least eight characters.
150
343087
3416
密碼至少有八個字元
05:58
Then some people had a much harder policy,
151
346503
2251
有些人的規則就比較困難
06:00
and this was very similar to the CMU policy,
152
348754
2537
跟卡內基美隆大學的作法很像
06:03
that it had to have eight characters
153
351291
1934
它必須有8個字元
06:05
including uppercase, lowercase, digit, symbol,
154
353225
2376
包括大寫 小寫 數字 符號
06:07
and pass a dictionary check.
155
355601
2389
並通過字典檢查
06:09
And one of the other policies we tried,
156
357990
1335
我們試過其中的規則之一
06:11
and there were a whole bunch more,
157
359325
1270
並還有更多
06:12
but one of the ones we tried was called Basic16,
158
360595
2240
但其中一種稱為Basic16
06:14
and the only requirement here
159
362835
2632
唯一的要求是
06:17
was that your password had
to have at least 16 characters.
to have at least 16 characters.
160
365467
3153
密碼至少有16個字元
06:20
All right, so now we had 5,000 passwords,
161
368620
2458
所以現在我們有5,000個密碼
06:23
and so we had much more detailed information.
162
371078
3563
還有詳細的資訊
06:26
Again we see that there's only a small number
163
374641
2559
我們又看到
06:29
of symbols that people are actually using
164
377200
1915
只有少數的符號
06:31
in their passwords.
165
379115
1886
被使用在密碼中
06:33
We also wanted to get an idea of how strong
166
381001
2599
我們也希望知道
06:35
the passwords were that people were creating,
167
383600
2771
人們設立的密碼的強度
06:38
but as you may recall, there isn't a good measure
168
386371
2620
但你可能還記得 還沒有一個很好的
06:40
of password strength.
169
388991
1754
衡量密碼強度的方法
06:42
So what we decided to do was to see
170
390745
2312
所以我們決定要看看
06:45
how long it would take to crack these passwords
171
393057
2370
使用駭客用的破解工具
06:47
using the best cracking tools
172
395427
1414
或是使用
06:48
that the bad guys are using,
173
396841
1808
我們在文獻可以找的到的資訊
06:50
or that we could find information about
174
398649
2016
需要多長時間
06:52
in the research literature.
175
400665
1537
來破解這些密碼
06:54
So to give you an idea of how bad guys
176
402202
2758
因此 讓你們來看看駭客
06:56
go about cracking passwords,
177
404960
2170
如何破解密碼
06:59
they will steal a password file
178
407130
1951
他們竊取密碼檔案
07:01
that will have all of the passwords
179
409081
2153
這檔案中的密碼
07:03
in kind of a scrambled form, called a hash,
180
411234
2889
呈現混亂形式 稱為散列
07:06
and so what they'll do is they'll make a guess
181
414123
2562
他們會用猜測的方式
07:08
as to what a password is,
182
416685
1712
來猜測密碼
07:10
run it through a hashing function,
183
418397
1897
再用散列函數程式跑過
07:12
and see whether it matches
184
420294
1765
看是否能在他們偷來的密碼中
07:14
the passwords they have on
their stolen password list.
their stolen password list.
185
422059
3950
找到相同密碼
07:18
So a dumb attacker will try every password in order.
186
426009
3105
所以 一個愚蠢駭客會將密碼一個一個順序試
07:21
They'll start with AAAAA and move on to AAAAB,
187
429114
3568
從AAAAA開始 到AAAAB
07:24
and this is going to take a really long time
188
432682
2418
這要花很長的時間
07:27
before they get any passwords
189
435100
1526
才能得到有可能
07:28
that people are really likely to actually have.
190
436626
2697
人們真正設置的密碼
07:31
A smart attacker, on the other hand,
191
439323
2183
另一方面 一個聰明的駭客
07:33
does something much more clever.
192
441506
1386
作法就聰明些
07:34
They look at the passwords
193
442892
1826
他們猜測密碼時
07:36
that are known to be popular
194
444718
1800
先試
07:38
from these stolen password sets,
195
446518
1727
從這些偷來的密碼組中
07:40
and they guess those first.
196
448245
1189
常用的密碼
07:41
So they're going to start by guessing "password,"
197
449434
2134
因此 他們要開始猜測“密碼”時
07:43
and then they'll guess "I love you," and "monkey,"
198
451568
2751
他們會先猜 “我愛你” 和 “猴子”
07:46
and "12345678,"
199
454319
2583
和“12345678”
07:48
because these are the passwords
200
456902
1312
因為這些密碼
07:50
that are most likely for people to have.
201
458214
1905
是最多人用
07:52
In fact, some of you probably have these passwords.
202
460119
3261
事實上 你們可能也有這些密碼
07:57
So what we found
203
465191
1298
所以 我們發現
07:58
by running all of these 5,000 passwords we collected
204
466489
3406
用我們收集的5,000個密碼
08:01
through these tests to see how strong they were,
205
469895
4106
用這些測試 看看他們的強度是如何
08:06
we found that the long passwords
206
474001
2752
我們發現
08:08
were actually pretty strong,
207
476753
1280
長密碼通常強度很高
08:10
and the complex passwords were pretty strong too.
208
478033
3262
而複雜的密碼也相當強
08:13
However, when we looked at the survey data,
209
481295
2442
然而 當我們看到這調查數據
08:15
we saw that people were really frustrated
210
483737
3024
我們看到人們對非常複雜的密碼
08:18
by the very complex passwords,
211
486761
2339
很有挫折感
08:21
and the long passwords were a lot more usable,
212
489100
2630
長的密碼會實用很多
08:23
and in some cases, they were actually
213
491730
1325
在某些情況下
08:25
even stronger than the complex passwords.
214
493055
2908
他們比複雜密碼更強
08:27
So this suggests that,
215
495963
1169
這告訴我們
08:29
instead of telling people that they need
216
497132
1703
比較好是告訴人們使用長密碼
08:30
to put all these symbols and numbers
217
498835
1522
而不是告訴人們
08:32
and crazy things into their passwords,
218
500357
2842
他們要把這些符號和數字
08:35
we might be better off just telling people
219
503199
2022
和瘋狂的東西
08:37
to have long passwords.
220
505221
2652
放進自己的密碼中
08:39
Now here's the problem, though:
221
507873
1792
現在 有個問題:
08:41
Some people had long passwords
222
509665
2255
有些人有長密碼
08:43
that actually weren't very strong.
223
511920
1555
但其實並不是很強
08:45
You can make long passwords
224
513475
1997
你可以有長的密碼
08:47
that are still the sort of thing
225
515472
1556
仍是那些
08:49
that an attacker could easily guess.
226
517028
1742
駭客可以很容易地猜到的密碼
08:50
So we need to do more than
just say long passwords.
just say long passwords.
227
518770
3365
所以我們需要的不只是長密碼
08:54
There has to be some additional requirements,
228
522135
1936
還有一些其他的要求
08:56
and some of our ongoing research is looking at
229
524071
2969
我們正在進行的一些研究
08:59
what additional requirements we should add
230
527040
2439
是在尋找應該加入什麼樣的要求
09:01
to make for stronger passwords
231
529479
2104
讓密碼強度更高
09:03
that also are going to be easy for people
232
531583
2312
並且很容易
09:05
to remember and type.
233
533895
2698
讓人記住和輸入
09:08
Another approach to getting people to have
234
536593
2126
讓人們設置強度高密碼的另一種方法
09:10
stronger passwords is to use a password meter.
235
538719
2257
是使用一個密碼強度測量表
09:12
Here are some examples.
236
540976
1385
下面是一些例子
09:14
You may have seen these on the Internet
237
542361
1401
當你在網路上設立密碼時
09:15
when you were creating passwords.
238
543762
3057
你可能已經看過這些
09:18
We decided to do a study to find out
239
546819
2248
我們決定做研究找出
09:21
whether these password meters actually work.
240
549067
2887
這些密碼強度測量表是否真的有用
09:23
Do they actually help people
241
551954
1421
它們是否真的
09:25
have stronger passwords,
242
553375
1453
有助於設立強的密碼
09:26
and if so, which ones are better?
243
554828
2086
若有的話 哪個更好?
09:28
So we tested password meters that were
244
556914
2507
所以我們在密碼旁
09:31
different sizes, shapes, colors,
245
559421
2098
加入不同的大小 形狀 顏色的
09:33
different words next to them,
246
561519
1416
密碼強度測量表
09:34
and we even tested one that was a dancing bunny.
247
562935
3275
我們甚至用一個跳舞的兔子
09:38
As you type a better password,
248
566210
1582
當你輸入一個較好的密碼
09:39
the bunny dances faster and faster.
249
567792
2539
兔子會跳舞跳得越來越快
09:42
So this was pretty fun.
250
570331
2529
這很有趣
09:44
What we found
251
572860
1567
我們發現
09:46
was that password meters do work.
252
574427
3572
密碼強度測量表真的有用
09:49
(Laughter)
253
577999
1801
(笑聲)
09:51
Most of the password meters were actually effective,
254
579800
3333
大部分的密碼測量表都真的有效
09:55
and the dancing bunny was very effective too,
255
583133
2521
跳舞的兔子也很有效
09:57
but the password meters that were the most effective
256
585654
2881
最有效的密碼測量表
10:00
were the ones that made you work harder
257
588535
2355
再給你大拇指讚之前
10:02
before they gave you that thumbs up and said
258
590890
1980
告訴你做的好之前
10:04
you were doing a good job,
259
592870
1377
你已做了很多工做
10:06
and in fact we found that most
260
594247
1512
而事實上 我們發現
10:07
of the password meters on the Internet today
261
595759
2281
目前網路上大部分的
10:10
are too soft.
262
598040
952
測量表都太弱
10:10
They tell you you're doing a good job too early,
263
598992
2203
他們都太早告訴你 你做的好
10:13
and if they would just wait a little bit
264
601195
1929
在給你的正面回饋之前
10:15
before giving you that positive feedback,
265
603124
2049
他們只要再等久一點點
10:17
you probably would have better passwords.
266
605173
3160
你可能就會有更好的密碼
10:20
Now another approach to better passwords, perhaps,
267
608333
3847
另一種更好地設密碼的方法
10:24
is to use pass phrases instead of passwords.
268
612180
2890
就是使用密語 而不是密碼
10:27
So this was an xkcd cartoon
from a couple of years ago,
from a couple of years ago,
269
615070
3418
所以這是一個幾年前的XKCD卡通
10:30
and the cartoonist suggests
270
618488
1674
漫畫家建議我
10:32
that we should all use pass phrases,
271
620162
2196
們都應該使用密語
10:34
and if you look at the second row of this cartoon,
272
622358
3170
如果你看這部動畫片的第二行
10:37
you can see the cartoonist is suggesting
273
625528
1857
可以看到漫畫家建議
10:39
that the pass phrase "correct horse battery staple"
274
627385
3441
密語 “正確的馬電池主食”
10:42
would be a very strong pass phrase
275
630826
2481
是一個非常強密語
10:45
and something really easy to remember.
276
633307
1916
也很容易記住
10:47
He says, in fact, you've already remembered it.
277
635223
2797
他說 事實上 你已經記住了
10:50
And so we decided to do a research study
278
638020
2150
所以我們決定做一個研究
10:52
to find out whether this was true or not.
279
640170
2592
看這是真還是假
10:54
In fact, everybody who I talk to,
280
642762
1775
事實上 我們訪問的對象
10:56
who I mention I'm doing password research,
281
644537
2042
當我們提到是做密碼的研究
10:58
they point out this cartoon.
282
646579
1400
他們提到這部動畫片
10:59
"Oh, have you seen it? That xkcd.
283
647979
1574
“你看過那XKCD嗎?
11:01
Correct horse battery staple."
284
649553
1602
正確的馬電池主食"
11:03
So we did the research study to see
285
651155
1806
所以我們做了調查研究
11:04
what would actually happen.
286
652961
2359
看看到底會發生什麼
11:07
So in our study, we used Mechanical Turk again,
287
655320
3060
研究中 我們再次使用群眾外包平台
11:10
and we had the computer pick the random words
288
658380
4167
我們讓電腦隨機
11:14
in the pass phrase.
289
662547
1100
在密語中選字
我們這樣做的原因是
11:15
Now the reason we did this
290
663647
1153
11:16
is that humans are not very good
291
664800
1586
人類不是很會
11:18
at picking random words.
292
666386
1384
隨機選字
11:19
If we asked a human to do it,
293
667770
1262
如果我們找人來做
11:21
they would pick things that were not very random.
294
669032
2998
他們挑的都不是很隨機
11:24
So we tried a few different conditions.
295
672030
2032
因此 我們嘗試了一些不同的情況
11:26
In one condition, the computer picked
296
674062
2090
在其中一種情況下
11:28
from a dictionary of the very common words
297
676152
2216
電腦從字典選出
英文很常見的字
11:30
in the English language,
298
678368
1362
所以你可能會有
11:31
and so you'd get pass phrases like
299
679730
1764
“試那兒三來” 的密語
11:33
"try there three come."
300
681494
1924
11:35
And we looked at that, and we said,
301
683418
1732
我們看了說
11:37
"Well, that doesn't really seem very memorable."
302
685150
3050
這似乎不是很好記
11:40
So then we tried picking words
303
688200
2240
於是當我們嘗試
在演說中的特定部分來選字
11:42
that came from specific parts of speech,
304
690440
2521
就像名詞 動詞 形容詞 名詞
11:44
so how about noun-verb-adjective-noun.
305
692961
2182
11:47
That comes up with something
that's sort of sentence-like.
that's sort of sentence-like.
306
695143
2577
我們得到像句子的東西
11:49
So you can get a pass phrase like
307
697720
2070
這樣你就可以得到一個密語 像是
"計畫建造肯定力量"
11:51
"plan builds sure power"
308
699790
1308
11:53
or "end determines red drug."
309
701098
2786
或是 "結束決定紅色藥"
而這些似乎比較容易記住
11:55
And these seemed a little bit more memorable,
310
703884
2676
也許人們會比較喜歡一點
11:58
and maybe people would like those a little bit better.
311
706560
2822
我們希望將它們與密碼進行比較
12:01
We wanted to compare them with passwords,
312
709382
2572
12:03
and so we had the computer
pick random passwords,
pick random passwords,
313
711954
3196
所以我們用電腦挑隨機密碼
這些都是又短又好 但你會發現
12:07
and these were nice and short, but as you can see,
314
715150
1990
他們看起來不好記
12:09
they don't really look very memorable.
315
717140
2806
12:11
And then we decided to try something called
316
719946
1396
後我們決定嘗試一種叫做
12:13
a pronounceable password.
317
721342
1646
可發音密碼
12:14
So here the computer picks random syllables
318
722988
2245
這是電腦隨機挑選的音節
並把它們放在一起
12:17
and puts them together
319
725233
1134
12:18
so you have something sort of pronounceable,
320
726367
2475
你得到這樣好像讀得出來的東西
12:20
like "tufritvi" and "vadasabi."
321
728842
2602
“tufritvi”和“vadasabi”
12:23
That one kind of rolls off your tongue.
322
731444
2147
又有點讓舌頭打結
這些都是電腦產生的
12:25
So these were random passwords that were
323
733591
2216
隨機密碼
12:27
generated by our computer.
324
735807
2744
我們在這項研究發現是
12:30
So what we found in this study was that, surprisingly,
325
738551
2978
驚訝的是 密語實際上不是那麼好
12:33
pass phrases were not actually all that good.
326
741529
3768
12:37
People were not really better at remembering
327
745297
2793
人們記密語
12:40
the pass phrases than these random passwords,
328
748090
2953
并不比隨機密碼記得更好
12:43
and because the pass phrases are longer,
329
751043
2754
並且因為密語較長
12:45
they took longer to type
330
753797
1226
需要較長的時間來輸入
12:47
and people made more errors while typing them in.
331
755023
3010
輸入時容易出錯
所以密語不會比較好
12:50
So it's not really a clear win for pass phrases.
332
758033
3227
12:53
Sorry, all of you xkcd fans.
333
761260
3345
xkcd的粉絲們 抱歉了
在另一方面 我們確實發現
12:56
On the other hand, we did find
334
764605
1892
12:58
that pronounceable passwords
335
766497
1804
那可發音密碼
13:00
worked surprisingly well,
336
768301
1471
出奇地好用
13:01
and so we actually are doing some more research
337
769772
2418
所以我們正在做一些調查研究
看看我們是否可以讓這方法做得更好
13:04
to see if we can make that
approach work even better.
approach work even better.
338
772190
3195
13:07
So one of the problems
339
775385
1812
我們已經做的一些研究中
13:09
with some of the studies that we've done
340
777197
1623
有一個問題就是
13:10
is that because they're all done
341
778820
1683
因為這些研究
都是在群眾外包平台上執行
13:12
using Mechanical Turk,
342
780503
1590
13:14
these are not people's real passwords.
343
782093
1812
這些都不是人們的真正密碼
13:15
They're the passwords that they created
344
783905
2105
這些是為研究而創造的密碼
13:18
or the computer created for them for our study.
345
786010
2495
或者為電腦產生的密碼
13:20
And we wanted to know whether people
346
788505
1568
而我們想知道
13:22
would actually behave the same way
347
790073
2312
是否實際上人們具有相同的行為方式
來設定他們的真實密碼
13:24
with their real passwords.
348
792385
2227
13:26
So we talked to the information
security office at Carnegie Mellon
security office at Carnegie Mellon
349
794612
3681
因此 我們請卡內積梅隆的
資訊安全辦公室
資訊安全辦公室
為我們提供大家的真實密碼
13:30
and asked them if we could
have everybody's real passwords.
have everybody's real passwords.
350
798293
3803
不出意外 他們是有點不願意
13:34
Not surprisingly, they were a little bit reluctant
351
802096
1754
13:35
to share them with us,
352
803850
1550
與我們分享
13:37
but we were actually able to work out
353
805400
1810
但是我們共同想出
13:39
a system with them
354
807210
1040
一個辦法
13:40
where they put all of the real passwords
355
808250
2109
他們用來儲存
13:42
for 25,000 CMU students, faculty and staff,
356
810359
3091
CMU25,000個學生,教師,和員工
真實密碼的系統
真實密碼的系統
13:45
into a locked computer in a locked room,
357
813450
2448
放在一台鎖碼的電腦里 鎖在教室
13:47
not connected to the Internet,
358
815898
1394
沒有網路連線
13:49
and they ran code on it that we wrote
359
817292
1848
他們操作我們所寫的代碼
13:51
to analyze these passwords.
360
819140
2152
來分析密碼
13:53
They audited our code.
361
821292
1326
他們審核我們的代碼
13:54
They ran the code.
362
822618
1312
他們跑這些代碼
13:55
And so we never actually saw
363
823930
1738
所以我們並沒真正看到
13:57
anybody's password.
364
825668
2817
任何人的密碼
14:00
We got some interesting results,
365
828485
1515
我們得到了一些有趣的結果
14:02
and those of you Tepper students in the back
366
830000
1696
那些在後面的太普學生
14:03
will be very interested in this.
367
831696
2875
都會對此很感興趣
14:06
So we found that the passwords created
368
834571
3731
我們發現
電腦科學學院學生密碼
14:10
by people affiliated with the
school of computer science
school of computer science
369
838302
2158
14:12
were actually 1.8 times stronger
370
840460
2324
比那些商學院學生的密碼
14:14
than those affiliated with the business school.
371
842784
3738
要強1.8倍
我們有很多其他的真的很有趣
14:18
We have lots of other really interesting
372
846522
2040
14:20
demographic information as well.
373
848562
2238
人口統計資訊
另一個有趣的事情
14:22
The other interesting thing that we found
374
850800
1846
14:24
is that when we compared
the Carnegie Mellon passwords
the Carnegie Mellon passwords
375
852646
2440
當我們比較
卡內基梅隆和群眾外包平台生成的密碼
14:27
to the Mechanical Turk-generated passwords,
376
855086
2283
14:29
there was actually a lot of similarities,
377
857369
2619
實際上存在很多的相似之處
所以這有助於驗證我們的研究方法
14:31
and so this helped validate our research method
378
859988
1948
14:33
and show that actually, collecting passwords
379
861936
2510
並顯示 實際上
群眾外包平台收集的密碼
14:36
using these Mechanical Turk studies
380
864446
1808
14:38
is actually a valid way to study passwords.
381
866254
2788
對我們的研究很有效
所以這是個好消息
14:41
So that was good news.
382
869042
2285
14:43
Okay, I want to close by talking about
383
871327
2414
好吧 我想用下面所說的來做總結
14:45
some insights I gained while on sabbatical
384
873741
2068
一些我去年在卡內基·梅隆藝術學校
14:47
last year in the Carnegie Mellon art school.
385
875809
3201
公休時獲得的啟發
其中一個我做的事就是
14:51
One of the things that I did
386
879010
1281
14:52
is I made a number of quilts,
387
880291
1524
我做了一些拼布棉被
14:53
and I made this quilt here.
388
881815
1548
這是我在這裡做的
14:55
It's called "Security Blanket."
389
883363
1899
叫做 "安全性毯子"
14:57
(Laughter)
390
885262
2431
(笑聲)
14:59
And this quilt has the 1,000
391
887693
3095
這棉被上有RockYou網站上公布的
15:02
most frequent passwords stolen
392
890788
2328
1000個
最常被偷的密碼
15:05
from the RockYou website.
393
893116
2571
15:07
And the size of the passwords is proportional
394
895687
2061
密碼的大小顯示
15:09
to how frequently they appeared
395
897748
1901
他們再被盜資料庫中
15:11
in the stolen dataset.
396
899649
2248
出現頻率成正比
而我創造了這個字雲
15:13
And what I did is I created this word cloud,
397
901897
2632
15:16
and I went through all 1,000 words,
398
904529
2132
我把 1000個字
15:18
and I categorized them into
399
906661
1795
歸類成
15:20
loose thematic categories.
400
908456
2380
幾個大項
15:22
And it was, in some cases,
401
910836
1903
並且在某些情況下
15:24
it was kind of difficult to figure out
402
912739
2038
很難將他們
15:26
what category they should be in,
403
914777
1755
歸類
15:28
and then I color-coded them.
404
916532
1899
然後我就用顏色碼來分
15:30
So here are some examples of the difficulty.
405
918431
2619
這裡是一些有難度的例子
15:33
So "justin."
406
921050
1181
譬如"賈斯汀"
15:34
Is that the name of the user,
407
922231
1829
是用戶的名字
15:36
their boyfriend, their son?
408
924060
1322
男友 兒子?
或許是賈斯汀·比伯的粉絲
15:37
Maybe they're a Justin Bieber fan.
409
925382
2888
15:40
Or "princess."
410
928270
2225
又或是"公主"
15:42
Is that a nickname?
411
930495
1635
是個暱稱
15:44
Are they Disney princess fans?
412
932130
1595
他們是迪士尼公主的粉絲嗎?
15:45
Or maybe that's the name of their cat.
413
933725
3694
又或是是他們貓咪的名字
"我愛你" 用很多不同語言
15:49
"Iloveyou" appears many times
414
937419
1655
出現很多次
15:51
in many different languages.
415
939074
1545
15:52
There's a lot of love in these passwords.
416
940619
3735
在這些密碼中 很多愛字
如果你仔細看
15:56
If you look carefully, you'll see there's also
417
944354
1680
你會發現也有些褻瀆
15:58
some profanity,
418
946034
2267
16:00
but it was really interesting to me to see
419
948301
1950
很有趣 我看到了
16:02
that there's a lot more love than hate
420
950251
2307
這些密碼中
16:04
in these passwords.
421
952558
2292
愛比恨多
還有動物
16:06
And there are animals,
422
954850
1490
16:08
a lot of animals,
423
956340
1360
很多的動物
16:09
and "monkey" is the most common animal
424
957700
2304
而“猴子”是最常見的動物
16:12
and the 14th most popular password overall.
425
960004
3675
第14個最受歡迎的密碼
我對此很好奇 也很納悶
16:15
And this was really curious to me,
426
963679
2231
16:17
and I wondered, "Why are monkeys so popular?"
427
965910
2523
“為什麼是猴子如此受歡迎?”
16:20
And so in our last password study,
428
968433
3352
所以在我們最後一個密碼研究
16:23
any time we detected somebody
429
971785
1686
當我們發現有人
16:25
creating a password with the word "monkey" in it,
430
973471
2649
在設定密碼中出現"猴子"
16:28
we asked them why they had
a monkey in their password.
a monkey in their password.
431
976120
3030
我們問他們原因
我們發現---
16:31
And what we found out --
432
979150
1910
目前有17個人
16:33
we found 17 people so far, I think,
433
981060
2103
16:35
who have the word "monkey" --
434
983163
1283
密碼設置為猴子
16:36
We found out about a third of them said
435
984446
1812
有三分之一的人說
16:38
they have a pet named "monkey"
436
986258
1740
他們有叫"猴子 "的寵物
16:39
or a friend whose nickname is "monkey,"
437
987998
2291
或有朋友暱稱"猴子"
而有三分之一的說
16:42
and about a third of them said
438
990289
1660
16:43
that they just like monkeys
439
991949
1533
他們就是喜歡猴子
16:45
and monkeys are really cute.
440
993482
1638
猴子很可愛
16:47
And that guy is really cute.
441
995120
3639
而那人真的很可愛
最終這似乎表明
16:50
So it seems that at the end of the day,
442
998759
3408
16:54
when we make passwords,
443
1002167
1783
當我們選密碼時
16:55
we either make something that's really easy
444
1003950
1974
並不選擇那些很容易輸入的東西
16:57
to type, a common pattern,
445
1005924
3009
常見的模式 或是
17:00
or things that remind us of the word password
446
1008933
2486
提醒我們有關密碼的東西
17:03
or the account that we've created the password for,
447
1011419
3312
或提醒有關帳號
17:06
or whatever.
448
1014731
2617
或是其他的
17:09
Or we think about things that make us happy,
449
1017348
2642
或是想到讓我們感到快樂的事
17:11
and we create our password
450
1019990
1304
17:13
based on things that make us happy.
451
1021294
2238
然後我們基於
17:15
And while this makes typing
452
1023532
2863
讓我們快樂的事來設置密碼
雖然這使我們輸入密碼及記憶密碼的
17:18
and remembering your password more fun,
453
1026395
2870
時候變得有趣
17:21
it also makes it a lot easier
454
1029265
1807
但也更容易猜測你所設立的密碼
17:23
to guess your password.
455
1031072
1506
17:24
So I know a lot of these TED Talks
456
1032578
1748
我知道TED的很多演講
17:26
are inspirational
457
1034326
1634
都很有啓發性
17:27
and they make you think about nice, happy things,
458
1035960
2461
並常常是可愛快樂的主題
17:30
but when you're creating your password,
459
1038421
1897
但當你設立密碼時
17:32
try to think about something else.
460
1040318
1991
試著用其他的心態去創造你的密碼
謝謝大家
17:34
Thank you.
461
1042309
1107
(掌聲)
17:35
(Applause)
462
1043416
553
ABOUT THE SPEAKER
Lorrie Faith Cranor - Security researcherAt Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online.
Why you should listen
Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, phishing, spam, electronic voting, anonymous publishing, and other topics.
Cranor plays a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P. She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review.
Lorrie Faith Cranor | Speaker | TED.com