经济学人345:电脑密码
时间:2019-02-16 作者:英语课 分类:经济学人科技系列
英语课
Science and technology
科学技术
Computer passwords
电脑密码
Speak, friend, and enter
说,朋友和进入
Computer passwords need to be memorable 1 and secure.
电脑密码须具备两个特性:易记及难猜。
Most people's are the first but not the second.
但是大部分人的密码只注重了前者却忽略了后者。
Researchers are trying to make it easier for them to be both
研究人员正努力让两者兼而有之变得更以实现。
PASSWORDS are ubiquitous in computer security.
密码在电脑安全领域的应用相当普遍。
All too often, they are also ineffective.
但他们往往没起什么作用。
A good password has to be both easy to remember and hard to guess, but in practice people seem to plump for the former over the latter.
一个好密码必须具备易记及难猜两个特征,而实际上人们好像只注意到了前者而忽略了后者。
Names of wives, husbands and children are popular.
以妻子,丈夫或孩子的名字作为密码的人大有人在。
Some take simplicity 2 to extremes: one former deputy editor of The Economist 3 used z for many years.
有些人的密码简单到了极点:The Economist的一位前副主编多年来一直用Z作密码。
And when hackers 5 stole 32m passwords from a social-gaming website called RockYou, it emerged that 1.1% of the site's users—365,000 people—had opted 6 either for 123456 or for 12345.
当黑客在社交游戏网站盗取了3200万用户的密码后,人们才发现原来这个网站大约1.1%的用户-也就是365,000人-选择了12345或123456作为密码。
That predictability lets security researchers create dictionaries which list common passwords, a boon 7 to those seeking to break in.
安全性研究人员于是根据密码的这种可预见性编制了一些罗列处各种常见密码的字典,这对那些有志于破解他人密码的人来说可说是找到了福音。
But although researchers know that passwords are insecure, working out just how insecure has been difficult.
但即使研究人员已经知道了密码不安全,要确切地给出个不安全系数却是很困难的。
Many studies have only small samples to work on—a few thousand passwords at most.
许多研究项目的对象只有一小块样本-最多只有几千个密码。
Hacked 8 websites such as RockYou have provided longer lists, but there are ethical 9 problems with using hacked information, and its availability is unpredictable.
像Rockyou这样被黑的网站能够提供更多的密码,但使用黑客盗取的密码不仅会引发道德问题上的争议,其可行性也是未知的。
However, a paper to be presented at a security conference held under the auspices 10 of the Institute of Electrical and Electronics Engineers, a New York-based professional body, in May, sheds some light.
然而,在五月份由总部位于纽约的一个专业组织-电气电子协会支持下召开了一场安全性研讨会议,会上公布的一份文件让我们看到了解决这个难题的一丝曙光。
With the co-operation of Yahoo!, a large internet company, Joseph Bonneau of Cambridge University obtained the biggest sample to date—70m passwords that, though anonymised, came with useful demographic data about their owners.
在一家大型网络公司-雅虎的协助下,剑桥大学的Joseph Bonneau得到了一份迄今为止最大的研究样本,虽然是匿名的,但是包含了其用户极为有用的人口学数据。
Mr Bonneau found some intriguing 11 variations.
在这份样本中Mr Bonneau发现了一些有趣的差异。
2_副本.jpg
Older users had better passwords than young ones.
相较于年轻用户,老用户设置的用户更好。
People whose preferred language was Korean or German chose the most secure passwords; those who spoke 12 Indonesian the least.
母语为韩语或德语的用户所设置的密码安全系数最高,而说印尼语的最低。
Passwords designed to hide sensitive information such as credit-card numbers were only slightly more secure than those protecting less important things, like access to games.
被设置用来隐藏像信用卡卡号这样的敏感信息的密码,相比较于另外一些保护游戏登录入口这样不那么重要的信息所设置的密码,其安全性高不了多少。
Nag 13 screens that told users they had chosen a weak password made virtually no difference.
那些提醒用户设置的密码安全性较低的唠叨屏幕其实没有什么作用。
And users whose accounts had been hacked in the past did not make dramatically more secure choices than those who had never been hacked.
相对于那些从没被黑过的,有过账户被黑经验的用户的安全防范意识也并没得到显著提高。
But it is the broader analysis of the sample that is of most interest to security researchers.
但是,对研究样本进行更为综合性的分析才是安全性研究人员的兴趣所在。
For, despite their differences, the 70m users were still predictable enough that a generic 14 password dictionary was effective against both the entire sample and any demographically organised slice of it.
因为尽管存在各种差异,但是通过分析样本中那7000万用户的资料还是可以预见到,一部通用的密码暴力破解字典就能够有效应付这一整个样本,或者任何根据某项人口学特征而从中抽取的一小块资料。
Mr Bonneau is blunt: An attacker who can manage ten guesses per account…will compromise around 1% of accounts.
Mr Bonneau直言不讳地说:只要每个账号给破解者10次猜测密码的机会...会有大约1%的密码被破解。
And that, from the hacker 4's point of view, is a worthwhile outcome.
这在黑客看来绝对值得一试。
One obvious answer would be for sites to limit the number of guesses that can be made before access is blocked, as cash machines do.
对网站而言,很显然,他们可以在系统上进行类似于ATM机的设置:一旦密码输入错误次数达到规定者,即封锁登录入口。
Yet whereas the biggest sites, such as Google and Microsoft, do take such measures,many do not.
然而,只有谷歌、微软这样的大型网站采取了类似的措施,很多其他网站对此不以为意。
A sample of 150 big websites examined in 2010 by Mr Bonneau and his colleague Sren Preibusch found that 126 made no attempt to limit guessing.
在2010年,Mr Bonneau和他的同事Sren Preibusch曾对一份囊括了150家大型网站的样本做过调查,结果显示其中126家并没有对密码输入错误次数作出限制。
How this state of affairs arose is obscure.
这种状况的状况的出现实在是令人费解。
For some sites, laxity may be rational, since their passwords are not protecting anything particularly valuable, such as credit-card details.
对一些站点来说,在安全防范上的相对松弛是可以理解的,因为它们站设置的密码并非为了保护类似信用卡信息这样特别重要的内容。
But password laxity imposes costs even on sites with good security, since people often use the same password for several different places.
但即使对拥有良好安全防范措施的网站来说,密码系统上的疏于防范也会大大增加花费,因为人们喜欢在多个地方使用同一个密码。
One suggestion is that lax password security is a cultural remnant of the internet's innocent youth—an academic research network has few reasons to worry about hackers.
有一种说法认为他们在密码上防范疏松的做法乃是源于网上那群不谙世事的年青一代的文化特征-一个专门用于学术研究的网络几乎不需担心黑客入侵。
Another possibility is that because many sites begin as cash-strapped start-ups, for which implementing 15 extra password security would take up valuable programming time, they skimp 16 on it at the beginning and then never bother to change.
还有一种可能是许多网站在建站初期都面临资金短缺的问题,而为系统配上更安全的保护措施会消耗大量宝贵的编程时间,因此他们一开始就在这一步上偷工减料,然后再也懒得去加以改善了。
But whatever the reason, it behoves those unwilling 17 to wait for websites to get their acts together to consider the alternatives to traditional passwords.
无论原因何在,与其等待所有网站都建立起一个完善的密码保护系统的那一天到来,不如由我们自己想出一个传统密码的替代方案。
One such is multi-word passwords called passphrases.
其中一种选择是使用密码组,
Using several words instead of one means an attacker has to guess more letters, which creates more security—but only if the phrase chosen is not one likely to turn up, through familiar usage, in a dictionary of phrases.
它由多个词组合起来形成,使用多个词而不是一个词用作密码的优势在于:这使得破解者需要猜出更多的字母,从而提高了密码的安全性-但前提是选择的词组不能是词典里经常出现的惯用语,
Which, of course, it often is.
可惜这个前提常常未被满足。
Mr Bonneau and his colleague Ekaterina Shutova have analysed a real-world passphrase system employed by Amazon, an online retailer 18 that allowed its American users to employ passphrases between October 2009 and February 2012.
Mr Bonneau和他的同事Ekaterina Shutova曾经研究过一个真实的密码组系统,该系统由网上零售商Amazon使用,Amazon曾与2009年10月至2012年2月间允许他们的用户使用密码组作为密码。
They found that, although passphrases do offer better security than passwords, they are not as good as had been hoped.
他们发现,密码组虽然较一般密码而言安全性更高,但实际效果并不如预期中好。
A phrase of four or five randomly 20 chosen words is fairly secure. But remembering several such phrases is no easier than remembering several randomly chosen passwords.
用一串由4,5个随机选择的词组合成密码是相当安全的,但问题是记住这样一些组合并不比那些随机选择的密码容易。
Once again, the need for memorability 21 is a boon to attackers.
又一次,密码需具备易记性成为了破解者的福音。
By scraping the internet for lists of things like film titles, sporting phrases and slang, Mr Bonneau and Dr Shutova were able to construct a 20,656-word dictionary that unlocked 1.13% of the accounts in Amazon's database.
通过在网上一点点搜集像电影名,体育相关用语和俚语这样的一个个词组,Mr Bonneau和Dr Shutova编制了一部囊括了20,656个词的字典,它已经成功开启了Amazon数据库里1.13%的账号。
The researchers also suspected that even those who do not use famous phrases would still prefer patterns found in natural language over true randomness 22.
研究人员还怀疑,即使是那些不使用著名短语的,他们也会更倾向于按照自然语言中得模式而不会安全基于随机性。
So they compared their collection of passphrases with two-word phrases extracted at random 19 from the British National Corpus, and from the Google NGram Corpus.
所以他们将收集的密码组同从英国国家语料库中随机选取的两词组合短词,还有google的Google NGram Corpus进行了比较。
Sure enough, they found considerable overlap 23 between structures common in ordinary English and the phrases chosen by Amazon's users.
果然,他们发现在惯常英语中得常见结构与Amazon的用户所选的短语间出现了一定程度的重叠。
Some 13% of the adjective-noun constructions which the researchers tried were on the money, as were 5% of adverb-verb mixes.
在研究人员分析的样本里面,在与金钱有关的组合中,有13%的形容词-名词,而副词-动词则达到了5%。
One way round that is to combine the ideas of a password and a passphrase into a so-called mnemonic password.
一个折中的解决办法是将普通密码和密码组的概念揉合成一种所谓的助记性密码,
This is a string of apparent gibberish which is not actually too hard to remember.
它是一种看起来莫名其妙的字符串,但实际上要记住并不太难。
It can be formed, for example, by using the first letter of each word in a phrase, varying upper and lower case, and substituting some symbols for others—8 for B, for instance.
助记性密码可以这样形成:挑出一个词组里每个单词的第一个字母,可以将其中一些进行大小写变化,另外一些则用某些符号来代替,例如8代替B。
Even mnemonic passwords, however, are not invulnerable.
然而,助记密码也并非是牢不可破的。
A study published in 2006 cracked 4% of the mnemonics 24 in a sample using a dictionary based on song lyrics 25, film titles and the like.
在2006年就有一项公布的研究成果显示一个样本里4%的助记密码遭到破解,手段是利用一部基于歌词,电影名及相似内容的字典。
The upshot is that there is probably no right answer.
看来这个难题是找不到完美的答案了。
All security is irritating,and there is a constant tension between people's desire to be safe and their desire for things to be simple.
任何安全措施都是烦人的。在人们对安全的需求及万事从简的愿望间存在着不可调和的矛盾。
While that tension persists, the hacker will always get through.
只要这种矛盾存在,黑客们就总能找到.
adj.值得回忆的,难忘的,特别的,显著的
- This was indeed the most memorable day of my life.这的确是我一生中最值得怀念的日子。
- The veteran soldier has fought many memorable battles.这个老兵参加过许多难忘的战斗。
n.简单,简易;朴素;直率,单纯
- She dressed with elegant simplicity.她穿着朴素高雅。
- The beauty of this plan is its simplicity.简明扼要是这个计划的一大特点。
n.经济学家,经济专家,节俭的人
- He cast a professional economist's eyes on the problem.他以经济学行家的眼光审视这个问题。
- He's an economist who thinks he knows all the answers.他是个经济学家,自以为什么都懂。
n.能盗用或偷改电脑中信息的人,电脑黑客
- The computer hacker wrote that he was from Russia.这个计算机黑客自称他来自俄罗斯。
- This site was attacked by a hacker last week.上周这个网站被黑客攻击了。
n.计算机迷( hacker的名词复数 );私自存取或篡改电脑资料者,电脑“黑客”
- They think of viruses that infect an organization from the outside.They envision hackers breaking into their information vaults. 他们考虑来自外部的感染公司的病毒,他们设想黑客侵入到信息宝库中。 来自《简明英汉词典》
- Arranging a meeting with the hackers took weeks againoff-again email exchanges. 通过几星期电子邮件往来安排见面,他们最终同意了。 来自互联网
v.选择,挑选( opt的过去式和过去分词 )
- She was co-opted onto the board. 她获增选为董事会成员。
- After graduating she opted for a career in music. 毕业后她选择了从事音乐工作。
n.恩赐,恩物,恩惠
- A car is a real boon when you live in the country.在郊外居住,有辆汽车确实极为方便。
- These machines have proved a real boon to disabled people.事实证明这些机器让残疾人受益匪浅。
adj.伦理的,道德的,合乎道德的
- It is necessary to get the youth to have a high ethical concept.必须使青年具有高度的道德观念。
- It was a debate which aroused fervent ethical arguments.那是一场引发强烈的伦理道德争论的辩论。
n.资助,赞助
- The association is under the auspices of Word Bank.这个组织是在世界银行的赞助下办的。
- The examination was held under the auspices of the government.这次考试是由政府主办的。
adj.有趣的;迷人的v.搞阴谋诡计(intrigue的现在分词);激起…的好奇心
- These discoveries raise intriguing questions. 这些发现带来了非常有趣的问题。
- It all sounds very intriguing. 这些听起来都很有趣。 来自《简明英汉词典》
n.(车轮的)辐条;轮辐;破坏某人的计划;阻挠某人的行动 v.讲,谈(speak的过去式);说;演说;从某种观点来说
- They sourced the spoke nuts from our company.他们的轮辐螺帽是从我们公司获得的。
- The spokes of a wheel are the bars that connect the outer ring to the centre.辐条是轮子上连接外圈与中心的条棒。
v.(对…)不停地唠叨;n.爱唠叨的人
- Nobody likes to work with a nag.谁也不愿与好唠叨的人一起共事。
- Don't nag me like an old woman.别像个老太婆似的唠唠叨叨烦我。
adj.一般的,普通的,共有的
- I usually buy generic clothes instead of name brands.我通常买普通的衣服,不买名牌。
- The generic woman appears to have an extraordinary faculty for swallowing the individual.一般妇女在婚后似乎有特别突出的抑制个性的能力。
v.实现( implement的现在分词 );执行;贯彻;使生效
- -- Implementing a comprehensive drug control strategy. ――实行综合治理的禁毒战略。 来自汉英非文学 - 白皮书
- He was in no hurry about implementing his unshakable principle. 他并不急于实行他那不可动摇的原则。 来自辞典例句
v.节省花费,吝啬
- She had to skimp to send her son to college.她必须节俭来供她儿子上大学。
- Older people shouldn't skimp on food or heating.老年人不应过分吝惜食物或取暖方面的开销。
adj.不情愿的
- The natives were unwilling to be bent by colonial power.土著居民不愿受殖民势力的摆布。
- His tightfisted employer was unwilling to give him a raise.他那吝啬的雇主不肯给他加薪。
n.零售商(人)
- What are the retailer requirements?零售商会有哪些要求呢?
- The retailer has assembled a team in Shanghai to examine the question.这家零售商在上海组建了一支团队研究这个问题。
adj.随机的;任意的;n.偶然的(或随便的)行动
- The list is arranged in a random order.名单排列不分先后。
- On random inspection the meat was found to be bad.经抽查,发现肉变质了。
adv.随便地,未加计划地
- Within the hot gas chamber, molecules are moving randomly in all directions. 在灼热的气体燃烧室内,分子在各个方向上作无规运动。 来自辞典例句
- Transformed cells are loosely attached, rounded and randomly oriented. 转化细胞则不大贴壁、圆缩并呈杂乱分布。 来自辞典例句
n.值得记忆
- Continuous change results in lack of memorability. 连续的变化导致没有值得记忆的事情。 来自互联网
- The memorability of such a moment, as, on the images of the losers' unforgettable pain. 此刻的记忆不能没有失败者难以忘记的痛苦。 来自互联网
n.随意,无安排;随机性
- The randomness is attributed to the porous medium. 随机性起因于多孔介质。 来自辞典例句
- Einstein declared that randomness rather than lawfulness is the characteristic of natural events. 爱因斯坦宣称自然现象的特征为不可测性而不是规律化。 来自辞典例句
v.重叠,与…交叠;n.重叠
- The overlap between the jacket and the trousers is not good.夹克和裤子重叠的部分不好看。
- Tiles overlap each other.屋瓦相互叠盖。
n.记忆术
- Mnemonics is important in learning English.记忆术对学英语很重要。
- Mnemonics are made up of letter to represent the operation code.助记码是由字母组成,以代表操作码。
标签:
经济学人