评论
打印
Science and technology
科学技术
Computer passwords
电脑密码
Speak, friend, and enter
说,朋友和进入
Computer passwords need to be memorable and secure.
电脑密码须具备两个特性:易记及难猜。
Most people's are the first but not the second.
但是大部分人的密码只注重了前者却忽略了后者。
Researchers are trying to make it easier for them to be both
研究人员正努力让两者兼而有之变得更以实现。
PASSWORDS are ubiquitous in computer security.
密码在电脑安全领域的应用相当普遍。
All too often, they are also ineffective.
但他们往往没起什么作用。
A good password has to be both easy to remember and hard to guess, but in practice people seem to plump for the former over the latter.
一个好密码必须具备易记及难猜两个特征,而实际上人们好像只注意到了前者而忽略了后者。
Names of wives, husbands and children are popular.
以妻子,丈夫或孩子的名字作为密码的人大有人在。
Some take simplicity to extremes: one former deputy editor of The Economist used z for many years.
有些人的密码简单到了极点:The Economist的一位前副主编多年来一直用Z作密码。
And when hackers stole 32m passwords from a social-gaming website called RockYou, it emerged that 1.1% of the site's users—365,000 people—had opted either for 123456 or for 12345.
当黑客在社交游戏网站盗取了3200万用户的密码后,人们才发现原来这个网站大约1.1%的用户-也就是365,000人-选择了12345或123456作为密码。
That predictability lets security researchers create dictionaries which list common passwords, a boon to those seeking to break in.
安全性研究人员于是根据密码的这种可预见性编制了一些罗列处各种常见密码的字典,这对那些有志于破解他人密码的人来说可说是找到了福音。
But although researchers know that passwords are insecure, working out just how insecure has been difficult.
但即使研究人员已经知道了密码不安全,要确切地给出个不安全系数却是很困难的。
Many studies have only small samples to work on—a few thousand passwords at most.
许多研究项目的对象只有一小块样本-最多只有几千个密码。
Hacked websites such as RockYou have provided longer lists, but there are ethical problems with using hacked information, and its availability is unpredictable.
像Rockyou这样被黑的网站能够提供更多的密码,但使用黑客盗取的密码不仅会引发道德问题上的争议,其可行性也是未知的。
However, a paper to be presented at a security conference held under the auspices of the Institute of Electrical and Electronics Engineers, a New York-based professional body, in May, sheds some light.
然而,在五月份由总部位于纽约的一个专业组织-电气电子协会支持下召开了一场安全性研讨会议,会上公布的一份文件让我们看到了解决这个难题的一丝曙光。
With the co-operation of Yahoo!, a large internet company, Joseph Bonneau of Cambridge University obtained the biggest sample to date—70m passwords that, though anonymised, came with useful demographic data about their owners.
在一家大型网络公司-雅虎的协助下,剑桥大学的Joseph Bonneau得到了一份迄今为止最大的研究样本,虽然是匿名的,但是包含了其用户极为有用的人口学数据。
Mr Bonneau found some intriguing variations.
在这份样本中Mr Bonneau发现了一些有趣的差异。
Older users had better passwords than young ones.
相较于年轻用户,老用户设置的用户更好。
People whose preferred language was Korean or German chose the most secure passwords; those who spoke Indonesian the least.
母语为韩语或德语的用户所设置的密码安全系数最高,而说印尼语的最低。
Passwords designed to hide sensitive information such as credit-card numbers were only slightly more secure than those protecting less important things, like access to games.
被设置用来隐藏像信用卡卡号这样的敏感信息的密码,相比较于另外一些保护游戏登录入口这样不那么重要的信息所设置的密码,其安全性高不了多少。
Nag screens that told users they had chosen a weak password made virtually no difference.
那些提醒用户设置的密码安全性较低的唠叨屏幕其实没有什么作用。
And users whose accounts had been hacked in the past did not make dramatically more secure choices than those who had never been hacked.
相对于那些从没被黑过的,有过账户被黑经验的用户的安全防范意识也并没得到显著提高。
But it is the broader analysis of the sample that is of most interest to security researchers.
但是,对研究样本进行更为综合性的分析才是安全性研究人员的兴趣所在。
For, despite their differences, the 70m users were still predictable enough that a generic password dictionary was effective against both the entire sample and any demographically organised slice of it.
因为尽管存在各种差异,但是通过分析样本中那7000万用户的资料还是可以预见到,一部通用的密码暴力破解字典就能够有效应付这一整个样本,或者任何根据某项人口学特征而从中抽取的一小块资料。
Mr Bonneau is blunt: An attacker who can manage ten guesses per account…will compromise around 1% of accounts.
Mr Bonneau直言不讳地说:只要每个账号给破解者10次猜测密码的机会...会有大约1%的密码被破解。
And that, from the hacker's point of view, is a worthwhile outcome.
这在黑客看来绝对值得一试。
One obvious answer would be for sites to limit the number of guesses that can be made before access is blocked, as cash machines do.
对网站而言,很显然,他们可以在系统上进行类似于ATM机的设置:一旦密码输入错误次数达到规定者,即封锁登录入口。
Yet whereas the biggest sites, such as Google and Microsoft, do take such measures,many do not.
然而,只有谷歌、微软这样的大型网站采取了类似的措施,很多其他网站对此不以为意。
A sample of 150 big websites examined in 2010 by Mr Bonneau and his colleague Sren Preibusch found that 126 made no attempt to limit guessing.
在2010年,Mr Bonneau和他的同事Sren Preibusch曾对一份囊括了150家大型网站的样本做过调查,结果显示其中126家并没有对密码输入错误次数作出限制。
How this state of affairs arose is obscure.
这种状况的状况的出现实在是令人费解。
For some sites, laxity may be rational, since their passwords are not protecting anything particularly valuable, such as credit-card details.
对一些站点来说,在安全防范上的相对松弛是可以理解的,因为它们站设置的密码并非为了保护类似信用卡信息这样特别重要的内容。
But password laxity imposes costs even on sites with good security, since people often use the same password for several different places.
但即使对拥有良好安全防范措施的网站来说,密码系统上的疏于防范也会大大增加花费,因为人们喜欢在多个地方使用同一个密码。
One suggestion is that lax password security is a cultural remnant of the internet's innocent youth—an academic research network has few reasons to worry about hackers.
有一种说法认为他们在密码上防范疏松的做法乃是源于网上那群不谙世事的年青一代的文化特征-一个专门用于学术研究的网络几乎不需担心黑客入侵。
Another possibility is that because many sites begin as cash-strapped start-ups, for which implementing extra password security would take up valuable programming time, they skimp on it at the beginning and then never bother to change.
还有一种可能是许多网站在建站初期都面临资金短缺的问题,而为系统配上更安全的保护措施会消耗大量宝贵的编程时间,因此他们一开始就在这一步上偷工减料,然后再也懒得去加以改善了。
But whatever the reason, it behoves those unwilling to wait for websites to get their acts together to consider the alternatives to traditional passwords.
无论原因何在,与其等待所有网站都建立起一个完善的密码保护系统的那一天到来,不如由我们自己想出一个传统密码的替代方案。
One such is multi-word passwords called passphrases.
其中一种选择是使用密码组,
Using several words instead of one means an attacker has to guess more letters, which creates more security—but only if the phrase chosen is not one likely to turn up, through familiar usage, in a dictionary of phrases.
它由多个词组合起来形成,使用多个词而不是一个词用作密码的优势在于:这使得破解者需要猜出更多的字母,从而提高了密码的安全性-但前提是选择的词组不能是词典里经常出现的惯用语,
Which, of course, it often is.
可惜这个前提常常未被满足。
Mr Bonneau and his colleague Ekaterina Shutova have analysed a real-world passphrase system employed by Amazon, an online retailer that allowed its American users to employ passphrases between October 2009 and February 2012.
Mr Bonneau和他的同事Ekaterina Shutova曾经研究过一个真实的密码组系统,该系统由网上零售商Amazon使用,Amazon曾与2009年10月至2012年2月间允许他们的用户使用密码组作为密码。
They found that, although passphrases do offer better security than passwords, they are not as good as had been hoped.
他们发现,密码组虽然较一般密码而言安全性更高,但实际效果并不如预期中好。
A phrase of four or five randomly chosen words is fairly secure. But remembering several such phrases is no easier than remembering several randomly chosen passwords.
用一串由4,5个随机选择的词组合成密码是相当安全的,但问题是记住这样一些组合并不比那些随机选择的密码容易。
Once again, the need for memorability is a boon to attackers.
又一次,密码需具备易记性成为了破解者的福音。
By scraping the internet for lists of things like film titles, sporting phrases and slang, Mr Bonneau and Dr Shutova were able to construct a 20,656-word dictionary that unlocked 1.13% of the accounts in Amazon's database.
通过在网上一点点搜集像电影名,体育相关用语和俚语这样的一个个词组,Mr Bonneau和Dr Shutova编制了一部囊括了20,656个词的字典,它已经成功开启了Amazon数据库里1.13%的账号。
The researchers also suspected that even those who do not use famous phrases would still prefer patterns found in natural language over true randomness.
研究人员还怀疑,即使是那些不使用著名短语的,他们也会更倾向于按照自然语言中得模式而不会安全基于随机性。
So they compared their collection of passphrases with two-word phrases extracted at random from the British National Corpus, and from the Google NGram Corpus.
所以他们将收集的密码组同从英国国家语料库中随机选取的两词组合短词,还有google的Google NGram Corpus进行了比较。
Sure enough, they found considerable overlap between structures common in ordinary English and the phrases chosen by Amazon's users.
果然,他们发现在惯常英语中得常见结构与Amazon的用户所选的短语间出现了一定程度的重叠。
Some 13% of the adjective-noun constructions which the researchers tried were on the money, as were 5% of adverb-verb mixes.
在研究人员分析的样本里面,在与金钱有关的组合中,有13%的形容词-名词,而副词-动词则达到了5%。
One way round that is to combine the ideas of a password and a passphrase into a so-called mnemonic password.
一个折中的解决办法是将普通密码和密码组的概念揉合成一种所谓的助记性密码,
This is a string of apparent gibberish which is not actually too hard to remember.
它是一种看起来莫名其妙的字符串,但实际上要记住并不太难。
It can be formed, for example, by using the first letter of each word in a phrase, varying upper and lower case, and substituting some symbols for others—8 for B, for instance.
助记性密码可以这样形成:挑出一个词组里每个单词的第一个字母,可以将其中一些进行大小写变化,另外一些则用某些符号来代替,例如8代替B。
Even mnemonic passwords, however, are not invulnerable.
然而,助记密码也并非是牢不可破的。
A study published in 2006 cracked 4% of the mnemonics in a sample using a dictionary based on song lyrics, film titles and the like.
在2006年就有一项公布的研究成果显示一个样本里4%的助记密码遭到破解,手段是利用一部基于歌词,电影名及相似内容的字典。
The upshot is that there is probably no right answer.
看来这个难题是找不到完美的答案了。
All security is irritating,and there is a constant tension between people's desire to be safe and their desire for things to be simple.
任何安全措施都是烦人的。在人们对安全的需求及万事从简的愿望间存在着不可调和的矛盾。
While that tension persists, the hacker will always get through.
只要这种矛盾存在,黑客们就总能找到.
