Η Lorrie Faith Cranor είναι καθηγήτρια επιστήμης υπολογιστών και μηχανικής και είχε μια πολύ ενδιαφέρουσα ομιλία στο TED. Θέμα της ομιλίας: "What's wrong with your pa$$w0rd?"
Watch the TED video. The translation into English has been made by Chryssa Rapessi and edited by Nikolao Benia
I am a professor of computer science and engineering here in Carnegie Melon, and my research focuses on utilitarian privacy and security, and so I like my friends to give me examples of their problems with computer systems, particularly problems that have to do with non-utilitarian privacy and security.
So, I hear a lot about the passwords. Many are nervous about the passwords and it's pretty ugly when you have to have a very good password that you can remember, but nobody can guess it. But what do you do when you have accounts in hundreds of different systems and must you have a unique password for each of these systems? It's hard. At Carnegie Melon, it made it easy for us to remember our passwords.
The requirement for the password to 2009 was simply that you need to have a password with at least one character. Pretty easy. But then things changed, and at the end of 2009 they announced they would have a new policy and this new policy required passwords of at least eight characters in capital and lower case letters, numbers, symbols, the same character was not allowed more than three times it was allowed to exist in a dictionary. Now, when they implemented this new policy, many, my colleagues and my friends came and told me: "Wow, that is not at all useful. Why did they do that, and why did not you stop them? "And I said," Do you know anything? They did not ask me. " But I was surprised and decided to go and talk to those responsible for our computing systems and find out what made them apply this new policy. They said the university took part in a consortium of universities and one of the requirements for participation was to have stronger passwords to meet the new requirements.
These requirements were that our passwords had to have a great entropy. Entropy is a complex concept, but it basically measures the power of passwords. But the point is that there is not really a measure of entropy. The National Institute of Standards and Technology has set some guidelines that have some empirical rules to measure entropy, but they do not have anything very specific. The reason they have only empirical rules is that they do not have any good data about the passwords. In fact, their report says: "Unfortunately, we do not have much data on the passwords users choose under specific rules.
NIST would like to get more data on the passwords users choose, but system administrators are reluctant to disclose password data to others. " So this is a problem, but our research team saw it as an opportunity. We said: "There is a need for good password data. Maybe we can collect some good data and evolve this technology. So the first thing we did was get a bag of sweets and go back to the campus where we talked with students, teachers and staff and asked for information about their passwords. We did not say, "Give us your password". No, we just asked them for their password. What size does it have? Contains numbers? Does it contain symbols? Did it bother you that you had to change it last week? So we got the results from 470 students, teachers and staff, and we actually confirmed that the new policy was very annoying, but we also found that people were saying that they felt safer with these new passwords. We found that most knew they should not write their passwords and only 13 percent of them did, but alarmingly, 80 percent of people said they reused their password. This is more dangerous than writing your password because it makes you much more vulnerable to intruders. So, if you need to, write your passwords, but do not reuse them.
We also found some interesting things about the symbols people use in their passwords. So the university allows 32 possible symbols, but as you can see, there is only a small number that most people use, so we do not get much power from the symbols in our slogans. So this was a very interesting study and now we have data from 470 individuals, but de facto, there are not so many password data. So, we looked to see where we can find more password data? In the end, it seems that there are many who steal passwords and often post those passwords on the Internet. So we could have access to some of the stolen passwords. Again, however, it is not ideal for research, because it is not entirely clear where these passwords came from or what policies were in place when these passwords were created. So we wanted to find a better data source. We decided that we could do research and get people to create passwords for our research. We used a service called Amazon Mechanical Turk where you can post a small job on the Internet that takes a minute, a few minutes, an hour, and pay a cent, ten cents, a few dollars to do a job for you and you pay through Amazon.com. So we paid people with about 50 cents to create a password with our rules and respond to a survey, and then we paid them again to return two days later and connect with their password and respond to another survey. So we did this, and we collected 5.000 passwords and applied users a few different policies to create their passwords. So some have a fairly easy policy, we call it Basic 8, and the only rule was that your password should have at least eight characters.
Some had a much more difficult policy that was similar to university policy, where it must have eight characters including capitals, pedestals, numbers, symbols and pass the control of the dictionary. Another policy than the ones we tested, and many were one of those we tried was called Basic 16, and the only requirement here was that your password should have at least 16 characters. Ok, we now have 5.000 passwords, and much more detailed information. Again we see that there is only a small number of symbols the world uses in its passwords. We also wanted to get an idea of how powerful the user-generated passwords were, but, as you remember, there is no good measure of password strength. So we decided to see how much we need to break those slogans using the best tools the bad guys use or for which we could find information in the research literature.
To give you an idea of how bad guys break passwords, they steal one archive password that has all the passwords in encoded form, called a hash, and they'll guess what the password is, run it through a hash function, and see if it matches the passwords they have on their stolen list. So a dumb attacker will try each password in turn. They will start with AAAAA and continue with AAAAB and it will take a long time before they come up with a password that someone can actually use. On the other hand, a smart attacker does something more subtle. They look at the passwords they know are popular from these sets of stolen passwords and guess those first. So they start by guessing "password" and then they'll guess "iloveyou" and "monkey" and "12345678" because those are the passwords people are most likely to have. In fact, some of you probably have such passwords.
Αυτό που βρήκαμε λοιπόν τρέχοντας όλα αυτά τα 5.000 συνθηματικά που συλλέξαμε σε αυτούς τους ελέγχους για να δούμε πόσο ισχυρά ήταν, βρήκαμε ότι τα μεγάλα συνθηματικά ήταν όντως αρκετά ισχυρά και τα πολύπλοκα συνθηματικά ήταν και αυτά πολύ ισχυρά. Όταν όμως κοιτάξαμε τα δεδομένα των ερευνών, είδαμε ότι ο κόσμος απογοητεύτηκε πραγματικά από τα πολύ πολύπλοκα συνθηματικά και τα μεγάλα συνθηματικά ήταν πολύ περισσότερο χρηστικά και κάποιες φορές, ήταν πιο ισχυρά από τα πολύπλοκα συνθηματικά. Αυτό υποδηλώνει ότι, αντί να λέμε στον κόσμο ότι πρέπει να βάλει όλα αυτά τα σύμβολα και τους αριθμούς και τα τρελά πράγματα στα συνθηματικά του, ίσως θα ήταν καλύτερα να τους λέμε να έχουν μεγάλα συνθηματικά. Το πρόβλημα είναι όμως το εξής: Μερικά άτομα είχαν μεγάλα συνθηματικά που δεν ήταν πραγματικά ισχυρά. Μπορείτε να κάνετε μεγάλα συνθηματικά που συνεχίζουν να είναι κάτι που θα μπορούσε να μαντέψει εύκολα ένας εισβολέας. Έτσι πρέπει να κάνουμε πιο πολλά από το να ζητάμε απλώς μεγάλα συνθηματικά. Πρέπει να υπάρχουν επιπλέον απαιτήσεις, και κομeye της τρέχουσας έρευνάς μας κοιτάει ποιες επιπλέον απαιτήσεις πρέπει να προσθέσουμε για να κάνουμε πιο ισχυρά συνθηματικά που θα είναι και εύκολα για να τα θυμούνται και να τα γράφουν. Μια άλλη προσέγγιση για να έχει ο κόσμος πιο ισχυρά συνθηματικά είναι η χρήση ενός μετρητή.
Here are some examples. You may have seen them on the Internet when creating passwords. We decided to do a study to find out if these password meters actually work. Do they really help people have stronger passwords, and if so, which ones are better? So we tried a password meter of various sizes, shapes, colors, various words beside them, we even tried one with a bunny who was dancing. As you write a stronger password, the bunny dances faster and faster. It was fun. What we found was that password counters work. (Laughter) Most of the password meters are really effective and the bunny who was dancing was very effective, but the most effective password counters were the ones that made you work harder before they give you the OK and say you're doing well and actually we found most internet gadgets today are still loose.
They tell you that you're doing well too soon, and if they just waited a bit before giving you a positive feedback, you might have got better passwords. Another approach for better passwords, perhaps, is to use slogans instead of words. This is a cartoon from xkcd a few years ago, and the cartoonist suggests that we use all of our passwords, and if you see in the second series of cartoons, you can see that the cartoonist suggests that the passphrase "right horse staple battery" will was a very strong passphrase and something very easy to remember. It says, in fact, you already remember it. So, we decided to do a research study to see if this is true.
Anyone I talk to who mentions that I'm doing password research points out the cartoon. “Oh, have you seen her? This one from xkcd. Right horse battery stapler'. So we did the research study to see what would actually happen. So in our study, we again used Mechanical Turk and had the computer pick the random words in the passphrase. We did this because people aren't very good at choosing random words. If we asked a human to do it, they would choose things that are not so random. So we tried a few different conditions. In one condition, the computer chose from a dictionary of very common words in the English language, so you would have catchphrases like 'try there three come'. And we looked at that, and we said, "That doesn't look very memorable." So then we tried to pick words that come from specific parts of speech, how about noun-verb-adjective-noun. This comes out roughly as a suggestion. So you can have a catchphrase like "plan builds sure power" or "end defines red medicine." And those looked a little more noticeable, and maybe people like those a little more. We wanted to compare them to passwords, and we had the computer randomly pick passwords, which are nice and small, but as you can see, they don't look very remarkable. Then we tried something called a spoken password. Here the computer picks random syllables and puts them together so you have something you can sort of pronounce, like 'tufritvi' and 'vadashabi'. That kind of rolls off the tongue.
Αυτά ήταν τυχαία συνθηματικά που δημιουργήθηκαν από τον υπολογιστή μας. Με έκπληξη βρήκαμε σε αυτήν την έρευνα ότι οι συνθηματικές φράσεις δεν ήταν και τόσο καλές. Ο κόσμος δεν ήταν και τόσο καλύτερος στο να θυμάται συνθηματικές φράσεις περισσότερο από αυτά τα τυχαία συνθηματικά, και επειδή οι συνθηματικές φράσεις είναι μεγαλύτερες, θέλουν περισσότερο χρόνο και ο κόσμος κάνει περισσότερα Mistakes όταν τα πληκτρολογεί. Οπότε δεν είναι ξεκάθαρη νίκη για τις συνθηματικές φράσεις. Συγγνώμη σε όλους τους θαυμαστές του xkcd. Από την άλλη, βρήκαμε ότι τα συνθηματικά που προφέρονται δούλεψαν εκπληκτικά καλά και κάνουμε περαιτέρω έρευνα για να δούμε αν μπορούμε να κάνουμε καλύτερη αυτήν την προσέγγιση. Ένα από τα προβλήματα με μερικές μελέτες που έχουμε κάνει είναι επειδή γίνονται όλες με το Mechanical Turk, δεν είναι τα πραγματικά συνθηματικά του κόσμου. Είναι συνθηματικά που δημιούργησαν ή δημιούργησε ο υπολογιστής γι' αυτούς για τη μελέτη μας. Θέλαμε να μάθουμε αν ο κόσμος θα συμπεριφερόταν με τον ίδιο τρόπο με τα πραγματικά τους συνθηματικά. Έτσι μιλήσαμε στο γραφείο ασφάλειας πληροφορικής στο Κάρνεγκι Μέλον και τους ρωτήσαμε αν θα μπορούσαμε να έχουμε τα πραγματικά συνθηματικά όλων. Δεν εκπλαγήκαμε όταν ήταν λίγο απρόθυμοι να τα μοιραστούν μαζί μας, αλλά καταφέραμε να βρούμε ένα σύστημα μαζί τους όπου θα έβαζαν όλα τα πραγματικά συνθηματικά για 25.000 φοιτητές, καθηγητές και υπαλλήλους του πανεπιστημίου, σε έναν κλειδωμένο υπολογιστή σε ένα κλειδωμένο δωμάτιο, χωρίς πρόσβαση στο Διαδίκτυο, και έτρεξαν κώδικα που γράψαμε για να αναλύσει αυτά τα συνθηματικά. Έλεγξαν τον κώδικά μας. Έτρεξαν τον κώδικα. Κι έτσι δεν είδαμε ποτέ το συνθηματικό κανενός. Πήραμε ενδιαφέροντα αποτελέσματα, κι εσείς, οι φοιτητές του Τέπερ εκεί πίσω, θα σας ενδιαφέρει πολύ αυτό. Βρήκαμε ότι τα συνθηματικά που δημιουργήθηκαν από άτομα που είχαν σχέση με τη σχολή πληροφορικής ήταν 1,8 φορές πιο ισχυρά από τα άτομα που είχαν σχέση με τη σχολή διοίκησης επιχειρήσεων. Έχουμε πολλές άλλες πραγματικά ενδιαφέρουσες δημογραφικές πληροφορίες. Το άλλο ενδιαφέρον πράγμα που βρήκαμε ήταν ότι όταν συγκρίναμε τα συνθηματικά του Κάρνεγκι Μέλον με αυτά που δημιουργήθηκαν στο Mechanical Turk, υπήρχαν πολλές ομοιότητες, και βοήθησε να επικυρώσουμε τη μεθοδολογία της έρευνάς μας και να δείξουμε ότι η συλλογή συνθηματικών χρησιμοποιώντας αυτές τις μελέτες του Mechanical Turk είναι ένας έγκυρος τρόπος για τη μελέτη συνθηματικών. Οπότε αυτά ήταν καλά νέα. Θα ήθελα να κλείσω μιλώντας για μερικά πράγματα που έμαθα ενώ ήμουν σε εκπαιδευτική άδεια πέρσι στη σχολή τέχνης στο Κάρνεγκι Μέλον.
One of the things I've done is some quilts and I made this quilt here. It's called "Security Cover". (Laughter) And this quilt has 1.000 of the most common stolen passwords from the RockYou website. The size of the passwords is proportional to the frequency with which they appear in the stolen data set. I created this word cloud, and I went through all of those 1.000 words and categorized them into some thematic categories. And sometimes, it was kind of hard to figure out what category they should go in, and then I color-coded them. Here are some examples of the difficulty. Well, 'Justin'. Is the name of the user, their friend, their son? Maybe she's a Justin Bieber fan. The princess". Is it a nickname? Do they love Disney princesses? Or maybe it's their cat's name. "iloveyou" appears many times in many different languages. There is a lot of love in these slogans. If you look closely, you'll see that there are some swear words, but it was very interesting to see that there is much more love than hate in these slogans. And there are livestock, πολλά ζώα, και η «μαϊμού» είναι το πιο συνηθισμένο ζώο και το 14ο πιο συνηθισμένο συνθηματικό γενικά. Μου φάνηκε πολύ περίεργο, και αναρωτήθηκα, «Γιατί είναι τόσο δημοφιλείς οι μαϊμούδες;» Στην τελευταία μελέτη συνθηματικών μας, κάθε φορά που εντοπίζαμε κάποιον που έφτιαχνε ένα συνθηματικό με τη λέξη «μαϊμού» σε αυτό, τον ρωτούσαμε γιατί είχαν μια μαϊμού στο συνθηματικό τους. Και αυτό που ανακαλύψαμε -- βρήκαμε μέχρι τώρα 17 άτομα, νομίζω, με τη λέξη «μαϊμού» -- βρήκαμε ότι περίπου το ένα τρίτο από αυτούς είπε ότι έχουν ένα ζωάκι με το όνομα «μαϊμού» ή έναν φίλο με το ψευδώνυμο «μαϊμού» και περίπου το ένα τρίτο είπε ότι απλώς τους αρέσουν οι μαϊμούδες και ότι είναι πολύ χαριτωμένες. Και αυτή είναι πολύ χαριτωμένη. Τελικά φαίνεται ότι όταν φτιάχνουμε συνθηματικά, είτε φτιάχνουμε κάτι που είναι πολύ εύκολο να το πληκτρολογήσουμε, ένα κοινό μοτίβο ή κάτι που μας θυμίζει τη λέξη συνθηματικό ή τον λογαριασμό για τον οποίο δημιουργήσαμε το συνθηματικό ή οτιδήποτε. Ή σκεφτόμαστε αυτά που μας κάνουν ευτυχισμένους, και δημιουργούμε το συνθηματικό μας βασισμένοι σε πράγματα που μας κάνουν ευτυχισμένους. Και ενώ αυτό κάνει την πληκτρολόγηση και το να θυμάστε το συνθηματικό σας πιο διασκεδαστικό, κάνει και πολύ ευκολότερο το να μαντέψουν το συνθηματικό σας.
I know many of these TED speeches are inspiring and make you think beautiful, happy things, but when you create your password, try to think something else. Thank you. (Clap)
