評論
打印
Science and technology
科學技術
Computer passwords
電腦密碼
Speak, friend, and enter
說,朋友和進入
Computer passwords need to be memorable and secure.
電腦密碼須具備兩個特性:易記及難猜。
Most people's are the first but not the second.
但是大部分人的密碼只注重了前者卻忽略了后者。
Researchers are trying to make it easier for them to be both
研究人員正努力讓兩者兼而有之變得更以實現。
PASSWORDS are ubiquitous in computer security.
密碼在電腦安全領域的應用相當普遍。
All too often, they are also ineffective.
但他們往往沒起什么作用。
A good password has to be both easy to remember and hard to guess, but in practice people seem to plump for the former over the latter.
一個好密碼必須具備易記及難猜兩個特征,而實際上人們好像只注意到了前者而忽略了后者。
Names of wives, husbands and children are popular.
以妻子,丈夫或孩子的名字作為密碼的人大有人在。
Some take simplicity to extremes: one former deputy editor of The Economist used z for many years.
有些人的密碼簡單到了極點:The Economist的一位前副主編多年來一直用Z作密碼。
And when hackers stole 32m passwords from a social-gaming website called RockYou, it emerged that 1.1% of the site's users—365,000 people—had opted either for 123456 or for 12345.
當黑客在社交游戲網站盜取了3200萬用戶的密碼后,人們才發現原來這個網站大約1.1%的用戶-也就是365,000人-選擇了12345或123456作為密碼。
That predictability lets security researchers create dictionaries which list common passwords, a boon to those seeking to break in.
安全性研究人員于是根據密碼的這種可預見性編制了一些羅列處各種常見密碼的字典,這對那些有志于破解他人密碼的人來說可說是找到了福音。
But although researchers know that passwords are insecure, working out just how insecure has been difficult.
但即使研究人員已經知道了密碼不安全,要確切地給出個不安全系數卻是很困難的。
Many studies have only small samples to work on—a few thousand passwords at most.
許多研究項目的對象只有一小塊樣本-最多只有幾千個密碼。
Hacked websites such as RockYou have provided longer lists, but there are ethical problems with using hacked information, and its availability is unpredictable.
像Rockyou這樣被黑的網站能夠提供更多的密碼,但使用黑客盜取的密碼不僅會引發道德問題上的爭議,其可行性也是未知的。
However, a paper to be presented at a security conference held under the auspices of the Institute of Electrical and Electronics Engineers, a New York-based professional body, in May, sheds some light.
然而,在五月份由總部位于紐約的一個專業組織-電氣電子協會支持下召開了一場安全性研討會議,會上公布的一份文件讓我們看到了解決這個難題的一絲曙光。
With the co-operation of Yahoo!, a large internet company, Joseph Bonneau of Cambridge University obtained the biggest sample to date—70m passwords that, though anonymised, came with useful demographic data about their owners.
在一家大型網絡公司-雅虎的協助下,劍橋大學的Joseph Bonneau得到了一份迄今為止最大的研究樣本,雖然是匿名的,但是包含了其用戶極為有用的人口學數據。
Mr Bonneau found some intriguing variations.
在這份樣本中Mr Bonneau發現了一些有趣的差異。
Older users had better passwords than young ones.
相較于年輕用戶,老用戶設置的用戶更好。
People whose preferred language was Korean or German chose the most secure passwords; those who spoke Indonesian the least.
母語為韓語或德語的用戶所設置的密碼安全系數最高,而說印尼語的最低。
Passwords designed to hide sensitive information such as credit-card numbers were only slightly more secure than those protecting less important things, like access to games.
被設置用來隱藏像信用卡卡號這樣的敏感信息的密碼,相比較于另外一些保護游戲登錄入口這樣不那么重要的信息所設置的密碼,其安全性高不了多少。
Nag screens that told users they had chosen a weak password made virtually no difference.
那些提醒用戶設置的密碼安全性較低的嘮叨屏幕其實沒有什么作用。
And users whose accounts had been hacked in the past did not make dramatically more secure choices than those who had never been hacked.
相對于那些從沒被黑過的,有過賬戶被黑經驗的用戶的安全防范意識也并沒得到顯著提高。
But it is the broader analysis of the sample that is of most interest to security researchers.
但是,對研究樣本進行更為綜合性的分析才是安全性研究人員的興趣所在。
For, despite their differences, the 70m users were still predictable enough that a generic password dictionary was effective against both the entire sample and any demographically organised slice of it.
因為盡管存在各種差異,但是通過分析樣本中那7000萬用戶的資料還是可以預見到,一部通用的密碼暴力破解字典就能夠有效應付這一整個樣本,或者任何根據某項人口學特征而從中抽取的一小塊資料。
Mr Bonneau is blunt: An attacker who can manage ten guesses per account…will compromise around 1% of accounts.
Mr Bonneau直言不諱地說:只要每個賬號給破解者10次猜測密碼的機會...會有大約1%的密碼被破解。
And that, from the hacker's point of view, is a worthwhile outcome.
這在黑客看來絕對值得一試。
One obvious answer would be for sites to limit the number of guesses that can be made before access is blocked, as cash machines do.
對網站而言,很顯然,他們可以在系統上進行類似于ATM機的設置:一旦密碼輸入錯誤次數達到規定者,即封鎖登錄入口。
Yet whereas the biggest sites, such as Google and Microsoft, do take such measures,many do not.
然而,只有谷歌、微軟這樣的大型網站采取了類似的措施,很多其他網站對此不以為意。
A sample of 150 big websites examined in 2010 by Mr Bonneau and his colleague Sren Preibusch found that 126 made no attempt to limit guessing.
在2010年,Mr Bonneau和他的同事Sren Preibusch曾對一份囊括了150家大型網站的樣本做過調查,結果顯示其中126家并沒有對密碼輸入錯誤次數作出限制。
How this state of affairs arose is obscure.
這種狀況的狀況的出現實在是令人費解。
For some sites, laxity may be rational, since their passwords are not protecting anything particularly valuable, such as credit-card details.
對一些站點來說,在安全防范上的相對松弛是可以理解的,因為它們站設置的密碼并非為了保護類似信用卡信息這樣特別重要的內容。
But password laxity imposes costs even on sites with good security, since people often use the same password for several different places.
但即使對擁有良好安全防范措施的網站來說,密碼系統上的疏于防范也會大大增加花費,因為人們喜歡在多個地方使用同一個密碼。
One suggestion is that lax password security is a cultural remnant of the internet's innocent youth—an academic research network has few reasons to worry about hackers.
有一種說法認為他們在密碼上防范疏松的做法乃是源于網上那群不諳世事的年青一代的文化特征-一個專門用于學術研究的網絡幾乎不需擔心黑客入侵。
Another possibility is that because many sites begin as cash-strapped start-ups, for which implementing extra password security would take up valuable programming time, they skimp on it at the beginning and then never bother to change.
還有一種可能是許多網站在建站初期都面臨資金短缺的問題,而為系統配上更安全的保護措施會消耗大量寶貴的編程時間,因此他們一開始就在這一步上偷工減料,然后再也懶得去加以改善了。
But whatever the reason, it behoves those unwilling to wait for websites to get their acts together to consider the alternatives to traditional passwords.
無論原因何在,與其等待所有網站都建立起一個完善的密碼保護系統的那一天到來,不如由我們自己想出一個傳統密碼的替代方案。
One such is multi-word passwords called passphrases.
其中一種選擇是使用密碼組,
Using several words instead of one means an attacker has to guess more letters, which creates more security—but only if the phrase chosen is not one likely to turn up, through familiar usage, in a dictionary of phrases.
它由多個詞組合起來形成,使用多個詞而不是一個詞用作密碼的優勢在于:這使得破解者需要猜出更多的字母,從而提高了密碼的安全性-但前提是選擇的詞組不能是詞典里經常出現的慣用語,
Which, of course, it often is.
可惜這個前提常常未被滿足。
Mr Bonneau and his colleague Ekaterina Shutova have analysed a real-world passphrase system employed by Amazon, an online retailer that allowed its American users to employ passphrases between October 2009 and February 2012.
Mr Bonneau和他的同事Ekaterina Shutova曾經研究過一個真實的密碼組系統,該系統由網上零售商Amazon使用,Amazon曾與2009年10月至2012年2月間允許他們的用戶使用密碼組作為密碼。
They found that, although passphrases do offer better security than passwords, they are not as good as had been hoped.
他們發現,密碼組雖然較一般密碼而言安全性更高,但實際效果并不如預期中好。
A phrase of four or five randomly chosen words is fairly secure. But remembering several such phrases is no easier than remembering several randomly chosen passwords.
用一串由4,5個隨機選擇的詞組合成密碼是相當安全的,但問題是記住這樣一些組合并不比那些隨機選擇的密碼容易。
Once again, the need for memorability is a boon to attackers.
又一次,密碼需具備易記性成為了破解者的福音。
By scraping the internet for lists of things like film titles, sporting phrases and slang, Mr Bonneau and Dr Shutova were able to construct a 20,656-word dictionary that unlocked 1.13% of the accounts in Amazon's database.
通過在網上一點點搜集像電影名,體育相關用語和俚語這樣的一個個詞組,Mr Bonneau和Dr Shutova編制了一部囊括了20,656個詞的字典,它已經成功開啟了Amazon數據庫里1.13%的賬號。
The researchers also suspected that even those who do not use famous phrases would still prefer patterns found in natural language over true randomness.
研究人員還懷疑,即使是那些不使用著名短語的,他們也會更傾向于按照自然語言中得模式而不會安全基于隨機性。
So they compared their collection of passphrases with two-word phrases extracted at random from the British National Corpus, and from the Google NGram Corpus.
所以他們將收集的密碼組同從英國國家語料庫中隨機選取的兩詞組合短詞,還有google的Google NGram Corpus進行了比較。
Sure enough, they found considerable overlap between structures common in ordinary English and the phrases chosen by Amazon's users.
果然,他們發現在慣常英語中得常見結構與Amazon的用戶所選的短語間出現了一定程度的重疊。
Some 13% of the adjective-noun constructions which the researchers tried were on the money, as were 5% of adverb-verb mixes.
在研究人員分析的樣本里面,在與金錢有關的組合中,有13%的形容詞-名詞,而副詞-動詞則達到了5%。
One way round that is to combine the ideas of a password and a passphrase into a so-called mnemonic password.
一個折中的解決辦法是將普通密碼和密碼組的概念揉合成一種所謂的助記性密碼,
This is a string of apparent gibberish which is not actually too hard to remember.
它是一種看起來莫名其妙的字符串,但實際上要記住并不太難。
It can be formed, for example, by using the first letter of each word in a phrase, varying upper and lower case, and substituting some symbols for others—8 for B, for instance.
助記性密碼可以這樣形成:挑出一個詞組里每個單詞的第一個字母,可以將其中一些進行大小寫變化,另外一些則用某些符號來代替,例如8代替B。
Even mnemonic passwords, however, are not invulnerable.
然而,助記密碼也并非是牢不可破的。
A study published in 2006 cracked 4% of the mnemonics in a sample using a dictionary based on song lyrics, film titles and the like.
在2006年就有一項公布的研究成果顯示一個樣本里4%的助記密碼遭到破解,手段是利用一部基于歌詞,電影名及相似內容的字典。
The upshot is that there is probably no right answer.
看來這個難題是找不到完美的答案了。
All security is irritating,and there is a constant tension between people's desire to be safe and their desire for things to be simple.
任何安全措施都是煩人的。在人們對安全的需求及萬事從簡的愿望間存在著不可調和的矛盾。
While that tension persists, the hacker will always get through.
只要這種矛盾存在,黑客們就總能找到.
