• 博客等级:
  • 博客积分:0
  • 博客访问:2,785,290
  • 关注人气:11,944
  • 获赠金笔:0支
  • 赠出金笔:0支
  • 荣誉徽章:
正文 字体大小:

2015年考研最新时文阅读(一)Computer Passwords 电脑密码

(2014-03-23 21:12:40)




分类: 阅读篇
    这是一篇选自《经济学家》2014年3月12日的学术文章,标题是Computer passwords (电脑密码),希望黄桃们认真阅读,加强网络科技词汇的学习。也希望黄桃们有问题在此讨论!

    Computer passwords need to be memorable and secure. Most people's are the first but not the second. Researchers are trying to make it easier for them to be both. Passwords are ubiquitous in computer security. All too often, they are also ineffective. A good password has to be both easy to remember and hard to guess, but in practice people seem to plump for the former over the latter. Names of wives, husbands and children are popular. Some take simplicity to extremes: one former deputy editor of The Economist used z for many years.

    电脑密码须具备两个特性:易记及难猜。但是大部分人的密码只注重了前者却忽略了后者。研究人员正努力让两者兼而有之变得更以实现。密码在电脑安全领域的应用相当普遍。但他们往往没起什么作用。一个好密码必须具备易记及难猜两个特征,而实际上人们好像只注意到了前者而忽略了后者。以妻子,丈夫或孩子的名字作为密码的人大有人在。有些人的密码简单到了极点:The Economist的一位前副主编多年来一直用Z作密码。

    And when hackers stole 32m passwords from a social-gaming website called RockYou, it emerged that 1.1% of the site's users—365,000 people—had opted either for 123456 or for 12345. That predictability lets security researchers create dictionaries which list common passwords, a boon to those seeking to break in.


    But although researchers know that passwords are insecure, working out just how insecure has been difficult. Many studies have only small samples to work on—a few thousand passwords at most. Hacked websites such as RockYou have provided longer lists, but there are ethical problems with using hacked information, and its availability is unpredictable. However, a paper to be presented at a security conference held under the auspices of the Institute of Electrical and Electronics Engineers, a New York-based professional body, in May, sheds some light.


    With the co-operation of Yahoo!, a large internet company, Joseph Bonneau of Cambridge University obtained the biggest sample to date—70m passwords that, though anonymised, came with useful demographic data about their owners. Mr Bonneau found some intriguing variations. Older users had better passwords than young ones.

    在一家大型网络公司-雅虎的协助下,剑桥大学的Joseph Bonneau得到了一份迄今为止最大的研究样本,虽然是匿名的,但是包含了其用户极为有用的人口学数据。 在这份样本中Mr Bonneau发现了一些有趣的差异。相较于年轻用户,老用户设置的用户更好。

    People whose preferred language was Korean or German chose the most secure passwords; those who spoke Indonesian the least. Passwords designed to hide sensitive information such as credit-card numbers were only slightly more secure than those protecting less important things, like access to games. Nag screens that told users they had chosen a weak password made virtually no difference.


    And users whose accounts had been hacked in the past did not make dramatically more secure choices than those who had never been hacked. But it is the broader analysis of the sample that is of most interest to security researchers. For, despite their differences, the 70m users were still predictable enough that a generic password dictionary was effective against both the entire sample and any demographically organised slice of it.


    Mr Bonneau is blunt: An attacker who can manage ten guesses per account…will compromise around 1% of accounts. And that, from the hacker's point of view, is a worthwhile outcome. One obvious answer would be for sites to limit the number of guesses that can be made before access is blocked, as cash machines do. Yet whereas the biggest sites, such as Google and Microsoft, do take such measures,many do not. A sample of 150 big websites examined in 2010 by Mr Bonneau and his colleague Sren Preibusch found that 126 made no attempt to limit guessing.

    Mr Bonneau直言不讳地说:只要每个账号给破解者10次猜测密码的机会...会有大约1%的密码被破解。这在黑客看来绝对值得一试。对网站而言,很显然,他们可以在系统上进行类似于ATM机的设置:一旦密码输入错误次数达到规定者,即封锁登录入口。然而,只有谷歌、微软这样的大型网站采取了类似的措施,很多其他网站对此不以为意。在2010年,Mr Bonneau和他的同事Sren Preibusch曾对一份囊括了150家大型网站的样本做过调查,结果显示其中126家并没有对密码输入错误次数作出限制。

    How this state of affairs arose is obscure. For some sites, laxity may be rational, since their passwords are not protecting anything particularly valuable, such as credit-card details. But password laxity imposes costs even on sites with good security, since people often use the same password for several different places. One suggestion is that lax password security is a cultural remnant of the internet's innocent youth—an academic research network has few reasons to worry about hackers.


    Another possibility is that because many sites begin as cash-strapped start-ups, for which implementing extra password security would take up valuable programming time, they skimp on it at the beginning and then never bother to change. But whatever the reason, it behoves those unwilling to wait for websites to get their acts together to consider the alternatives to traditional passwords. One such is multi-word passwords called passphrases. Using several words instead of one means an attacker has to guess more letters, which creates more security—but only if the phrase chosen is not one likely to turn up, through familiar usage, in a dictionary of phrases,which, of course, it often is.


    Mr Bonneau and his colleague Ekaterina Shutova have analysed a real-world passphrase system employed by Amazon, an online retailer that allowed its American users to employ passphrases between October 2009 and February 2012. They found that, although passphrases do offer better security than passwords, they are not as good as had been hoped. A phrase of four or five randomly chosen words is fairly secure. But remembering several such phrases is no easier than remembering several randomly chosen passwords. Once again, the need for memorability is a boon to attackers.

    Mr Bonneau和他的同事Ekaterina Shutova曾经研究过一个真实的密码组系统,该系统由网上零售商Amazon使用,Amazon曾与2009年10月至2012年2月间允许他们的用户使用密码组作为密码。他们发现,密码组虽然较一般密码而言安全性更高,但实际效果并不如预期中好。用一串由4,5个随机选择的词组合成密码是相当安全的,但问题是记住这样一些组合并不比那些随机选择的密码容易。又一次,密码需具备易记性成为了破解者的福音。

    By scraping the internet for lists of things like film titles, sporting phrases and slang, Mr Bonneau and Dr Shutova were able to construct a 20,656-word dictionary that unlocked 1.13% of the accounts in Amazon's database. The researchers also suspected that even those who do not use famous phrases would still prefer patterns found in natural language over true randomness.

    通过在网上一点点搜集像电影名,体育相关用语和俚语这样的一个个词组,Mr Bonneau和Dr Shutova编制了一部囊括了20,656个词的字典,它已经成功开启了Amazon数据库里1.13%的账号。研究人员还怀疑,即使是那些不使用著名短语的,他们也会更倾向于按照自然语言中得模式而不会安全基于随机性。

    So they compared their collection of passphrases with two-word phrases extracted at random from the British National Corpus, and from the Google NGram Corpus. Sure enough, they found considerable overlap between structures common in ordinary English and the phrases chosen by Amazon's users. Some 13% of the adjective-noun constructions which the researchers tried were on the money, as were 5% of adverb-verb mixes.

    所以他们将收集的密码组同从英国国家语料库中随机选取的两词组合短词,还有google的Google NGram Corpus进行了比较。果然,他们发现在惯常英语中得常见结构与Amazon的用户所选的短语间出现了一定程度的重叠。在研究人员分析的样本里面,在与金钱有关的组合中,有13%的形容词-名词,而副词-动词则达到了5%。

    One way round that is to combine the ideas of a password and a passphrase into a so-called mnemonic password. This is a string of apparent gibberish which is not actually too hard to remember. It can be formed, for example, by using the first letter of each word in a phrase, varying upper and lower case, and substituting some symbols for others—8 for B, for instance. Even mnemonic passwords, however, are not invulnerable.


    A study published in 2006 cracked 4% of the mnemonics in a sample using a dictionary based on song lyrics, film titles and the like. The upshot is that there is probably no right answer. All security is irritating,and there is a constant tension between people's desire to be safe and their desire for things to be simple. While that tension persists, the hacker will always get through.



阅读 评论 收藏 转载 喜欢 打印举报/Report
  • 评论加载中,请稍候...




    新浪BLOG意见反馈留言板 电话:4000520066 提示音后按1键(按当地市话标准计费) 欢迎批评指正

    新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

    新浪公司 版权所有