TEDxCMU
Lorrie Faith Cranor: What’s wrong with your pa$$w0rd?
Lorrie Faith Cranor: Što ne valja s vašom lo2!nk0m?
Filmed:
Readability: 4.5
1,566,161 views
Lorrie Faith Cranor je proučavala tisuće pravih korisničkih lozinki kako bi otkrila iznenađujuće, česte greške koje korisnici i zaštićene stranice čine narušavajući sigurnost. A kako ih je proučavala, a da nije pritom narušila sigurnost niti jednog korisnika? To je prava priča. Tajni podaci koje je vrijedi znati, posebno ako je vaša lozinka 123456 ...
Lorrie Faith Cranor - Security researcher
At Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online. Full bio
At Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online. Full bio
Double-click the English transcript below to play the video.
00:12
I am a computer science and engineering
professor here at Carnegie Mellon,
professor here at Carnegie Mellon,
0
535
3445
Ja sam profesorica računalne znanosti i
inženjerstva, ovdje, na Carnegie Mellonu.
inženjerstva, ovdje, na Carnegie Mellonu.
00:15
and my research focuses on
usable privacy and security,
usable privacy and security,
1
3980
4248
Moje istraživanje se bavi primjenjivim
pravilima privatnosti i sigurnosti.
pravilima privatnosti i sigurnosti.
00:20
and so my friends like to give me examples
2
8228
2768
Prijatelji mi vole davati primjere
00:22
of their frustrations with computing systems,
3
10996
2202
njihove frustriranosti
računalnim sustavima,
računalnim sustavima,
00:25
especially frustrations related to
4
13198
3354
posebno kada frustriranost ima veze
00:28
unusable privacy and security.
5
16552
4112
s neprimjenjivim pravilima
privatnosti i sigurnosti.
privatnosti i sigurnosti.
00:32
So passwords are something that I hear a lot about.
6
20664
2711
Tako su lozinke česta tema.
00:35
A lot of people are frustrated with passwords,
7
23375
2880
Puno ljudi je frustrirano s lozinkama,
00:38
and it's bad enough
8
26255
1694
i dovoljno je zlo
00:39
when you have to have one really good password
9
27949
2644
imati jednu zbilja dobru lozinku
00:42
that you can remember
10
30593
1822
koju možeš zapamtiti,
00:44
but nobody else is going to be able to guess.
11
32415
2894
a da je nitko neće pogoditi.
00:47
But what do you do when you have accounts
12
35309
1637
Ali što napraviti kada imaš
nekoliko korisničkih računa,
nekoliko korisničkih računa,
00:48
on a hundred different systems
13
36946
1808
na stotinu različitih sustava
00:50
and you're supposed to have a unique password
14
38754
2276
i trebao bi imati unikatnu lozinku
00:53
for each of these systems?
15
41030
3037
za svaki od tih sustava?
00:56
It's tough.
16
44067
2184
To je teško.
00:58
At Carnegie Mellon, they used to make it
17
46251
1759
Na Carnegie Mellonu,
01:00
actually pretty easy for us
18
48010
1299
su nam olakšavali, zapravo
01:01
to remember our passwords.
19
49309
1737
pamćenje naših lozinki.
01:03
The password requirement up through 2009
20
51046
2403
Uvjet za prihvaćenu lozinku do 2009.
01:05
was just that you had to have a password
21
53449
2379
je bio da lozinka sadrži
01:07
with at least one character.
22
55828
2211
barem jedan znak.
01:10
Pretty easy. But then they changed things,
23
58039
2888
Jednostavno. Ali onda su
se pravila promijenila.
se pravila promijenila.
01:12
and at the end of 2009, they announced
24
60927
2670
Krajem 2009. najavljena je
01:15
that we were going to have a new policy,
25
63597
2376
nova politika.
01:17
and this new policy required
26
65973
1863
Ta nova politika je zahtijevala
01:19
passwords that were at least eight characters long,
27
67836
2681
lozinke duge minimalno osam znakova,
01:22
with an uppercase letter, lowercase letter,
28
70517
1775
s velikim slovima, malim slovima
01:24
a digit, a symbol,
29
72292
1288
brojem, simbolom,
01:25
you couldn't use the same
character more than three times,
character more than three times,
30
73580
2638
isti znak se ne smije
koristiti više od tri puta,
koristiti više od tri puta,
01:28
and it wasn't allowed to be in a dictionary.
31
76218
2434
i riječ nije smjela biti iz rječnika.
01:30
Now, when they implemented this new policy,
32
78652
2182
Kada su implementirali tu novu politiku,
01:32
a lot of people, my colleagues and friends,
33
80834
2310
puno ljudi, mojih kolega i prijatelja,
01:35
came up to me and they said, "Wow,
34
83144
1854
me je pitalo:
01:36
now that's really unusable.
35
84998
1512
"Ovo je zbilja neprimjenjivo.
01:38
Why are they doing this to us,
36
86510
1193
Zašto nam to rade
01:39
and why didn't you stop them?"
37
87703
1711
i zašto ih ti nisi zaustavila?"
01:41
And I said, "Well, you know what?
38
89414
1356
A ja sam rekla: "Znaš što?
01:42
They didn't ask me."
39
90770
1508
Nisu me niti pitali."
01:44
But I got curious, and I decided to go talk
40
92278
3465
Ali sam postala znatiželjna
i odlučila sam razgovarati
i odlučila sam razgovarati
01:47
to the people in charge of our computer systems
41
95743
1937
s ljudima zaduženim za računalne sustave
01:49
and find out what led them to introduce
42
97680
2831
i otkriti što ih je navelo da uvedu
01:52
this new policy,
43
100511
1848
ovu novu politiku.
01:54
and they said that the university
44
102359
1584
Rekli su mi da se sveučilište
01:55
had joined a consortium of universities,
45
103943
2366
pridružilo konzorciju sveučilišta,
01:58
and one of the requirements of membership
46
106309
2634
a jedan od uvjeta za članstvo je
02:00
was that we had to have stronger passwords
47
108943
2248
da članovi imaju jake lozinke.
02:03
that complied with some new requirements,
48
111191
2272
Te lozinke su morale
odgovarati novim pravilima,
odgovarati novim pravilima,
02:05
and these requirements were that our passwords
49
113463
2104
ta pravila su zahtijevala da naše lozinke
02:07
had to have a lot of entropy.
50
115567
1604
budu poprilično entropične.
02:09
Now entropy is a complicated term,
51
117171
2278
Entropija je kompliciran termin,
02:11
but basically it measures the strength of passwords.
52
119449
2798
ali u pravilu, mjeri jačinu lozinki.
02:14
But the thing is, there isn't actually
53
122247
1979
Ali, stvar je u tome što ne postoji
02:16
a standard measure of entropy.
54
124226
1949
standardna mjera entropije.
02:18
Now, the National Institute
of Standards and Technology
of Standards and Technology
55
126175
2399
Nacionalni institut za
standarde i tehnologije
standarde i tehnologije
02:20
has a set of guidelines
56
128574
1553
ima skup smjernica
02:22
which have some rules of thumb
57
130127
2568
koje sadrže nekoliko
odokativnih pravila
odokativnih pravila
02:24
for measuring entropy,
58
132695
1440
za mjerenje entropije,
02:26
but they don't have anything too specific,
59
134135
2895
ali nemaju nikakva specifična pravila.
02:29
and the reason they only have rules of thumb
60
137030
2337
Razlog za to je taj
02:31
is it turns out they don't actually have any good data
61
139367
3136
što nemaju nikakvih pravih podataka
02:34
on passwords.
62
142503
1520
o lozinkama.
02:36
In fact, their report states,
63
144023
2312
U njihovom izvještaju stoji:
02:38
"Unfortunately, we do not have much data
64
146335
2328
"Nažalost, nemamo mnogo podataka
02:40
on the passwords users
choose under particular rules.
choose under particular rules.
65
148663
2842
o lozinkama koje korisnici odabiru
pri određenim pravilima.
pri određenim pravilima.
02:43
NIST would like to obtain more data
66
151505
2333
NIST bi želio prikupiti više podataka
02:45
on the passwords users actually choose,
67
153838
2462
o lozinkama koje korisnici odabiru,
02:48
but system administrators
are understandably reluctant
are understandably reluctant
68
156300
2463
ali sistemski administratori,
su razumljivo, nevoljni
su razumljivo, nevoljni
02:50
to reveal password data to others."
69
158763
2940
otkriti podatke o lozinkama
trećim stranama."
trećim stranama."
02:53
So this is a problem, but our research group
70
161703
3097
Ovo je problem, ali naša
istraživačka skupina
istraživačka skupina
02:56
looked at it as an opportunity.
71
164800
2140
je to vidjela kao mogućnost.
02:58
We said, "Well, there's a need
for good password data.
for good password data.
72
166940
3100
Rekli smo: "Postoji potreba
za dobrim podacima o lozinkama.
za dobrim podacima o lozinkama.
03:02
Maybe we can collect some good password data
73
170040
2148
Možda mi možemo prikupiti te podatke.
03:04
and actually advance the state of the art here.
74
172188
2704
I unaprijediti vrhunsku tehnologiju.
03:06
So the first thing we did is,
75
174892
1672
Prva stvar koju smo napravili je
03:08
we got a bag of candy bars
76
176564
1556
da smo nabavili vreću čokoladica,
03:10
and we walked around campus
77
178120
1086
s kojim smo hodali po kampusu,
03:11
and talked to students, faculty and staff,
78
179206
2798
i razgovarali sa studentima,
profesorima i osobljem
profesorima i osobljem
03:14
and asked them for information
79
182004
1530
i tražili ih informacije
03:15
about their passwords.
80
183534
1552
o njihovim lozinkama.
03:17
Now we didn't say, "Give us your password."
81
185086
3004
Nismo ih tražili da
nam daju svoje lozinke.
nam daju svoje lozinke.
03:20
No, we just asked them about their password.
82
188090
2661
Ne, mi smo ih samo pitali o njima.
03:22
How long is it? Does it have a digit?
83
190751
1478
Koliko su duge? Imaju li broj?
03:24
Does it have a symbol?
84
192229
1068
Imaju li simbol?
03:25
And were you annoyed at having to create
85
193297
2045
Smeta li vam što ste morali kreirati
03:27
a new one last week?
86
195342
2744
novu prošli tjedan?
03:30
So we got results from 470 students,
87
198086
3206
Dobili smo rezultate 470 studenata
03:33
faculty and staff,
88
201292
971
profesora i osoblja,
03:34
and indeed we confirmed that the new policy
89
202263
2514
i zaista se potvrdilo da
im je ova nova politika
im je ova nova politika
03:36
was very annoying,
90
204777
1453
jako zasmetala.
03:38
but we also found that people said
91
206230
1792
Također smo otkrili da
03:40
they felt more secure with these new passwords.
92
208022
3130
su se ljudi osjećali sigurnije
s novim lozinkama.
s novim lozinkama.
03:43
We found that most people knew
93
211152
2306
Otkrili smo da većina ljudi zna
03:45
they were not supposed to
write their password down,
write their password down,
94
213458
2152
da ne bi smjeli zapisivati lozinke,
03:47
and only 13 percent of them did,
95
215610
2391
i samo 13 posto njih to radi,
03:50
but disturbingly, 80 percent of people
96
218001
2416
ali ono što je uznemirujuće 80 posto
03:52
said they were reusing their password.
97
220417
2124
njih koristi stare lozinke.
03:54
Now, this is actually more dangerous
98
222541
1796
To je puno opasnije od
03:56
than writing your password down,
99
224337
2022
zapisivanja lozinke
03:58
because it makes you much
more susceptible to attackers.
more susceptible to attackers.
100
226359
3561
jer vas čini podložnijim napadima.
04:01
So if you have to, write your passwords down,
101
229920
3118
Dakle, ako baš morate,
zapišite svoju lozinku,
zapišite svoju lozinku,
04:05
but don't reuse them.
102
233038
1799
ali, nemojte ponovno koristiti staru.
04:06
We also found some interesting things
103
234837
1751
Otkrili smo i neke zanimljivih stvari
04:08
about the symbols people use in passwords.
104
236588
2961
o simbolima koji se koriste.
04:11
So CMU allows 32 possible symbols,
105
239549
2799
CMU dopušta korištenje 32 moguća znaka,
04:14
but as you can see, there's only a small number
106
242348
2433
ali kao što vidite, mali broj
04:16
that most people are using,
107
244781
1802
njih se koristi.
04:18
so we're not actually getting very much strength
108
246583
2941
Tako da lozinka ne dobiva puno
04:21
from the symbols in our passwords.
109
249524
2466
na snazi korištenjem simbola.
04:23
So this was a really interesting study,
110
251990
2711
Ovo je bila jako zanimljiva studija,
04:26
and now we had data from 470 people,
111
254701
2464
i dobili smo podatke od 470 ispitanika,
04:29
but in the scheme of things,
112
257165
1305
ali generalno,
04:30
that's really not very much password data,
113
258470
2580
ne radi se o puno podataka.
04:33
and so we looked around to see
114
261050
1445
Zato smo istraživali
04:34
where could we find additional password data?
115
262495
2560
gdje možemo pronaći još podataka.
04:37
So it turns out there are a lot of people
116
265055
2176
Tako smo pronašli da postoji hrpa ljudi
04:39
going around stealing passwords,
117
267231
2202
koji kradu lozinke,
04:41
and they often go and post these passwords
118
269433
2477
a onda ih često objavljuju
04:43
on the Internet.
119
271910
1337
na Internetu.
04:45
So we were able to get access
120
273247
1673
Uspjeli smo pristupiti
04:46
to some of these stolen password sets.
121
274920
3970
nekima od tih ukradenih lozinki.
04:50
This is still not really ideal for research, though,
122
278890
2328
To nije baš idealna situacija
kada se radi o istraživanju
kada se radi o istraživanju
04:53
because it's not entirely clear
123
281218
2037
jer nije posve jasno
04:55
where all of these passwords came from,
124
283255
2184
odakle potječu te lozinke
04:57
or exactly what policies were in effect
125
285439
2242
i pod kojim pravilima
04:59
when people created these passwords.
126
287681
2108
su ih kreirali korisnici.
05:01
So we wanted to find some better source of data.
127
289789
3552
Zbog toga smo željeli
pronaći bolji izvor podataka.
pronaći bolji izvor podataka.
05:05
So we decided that one thing we could do
128
293341
1634
Odlučili smo se je najbolji način
05:06
is we could do a study and have people
129
294975
2129
da napravimo studiju i zamolimo ljude
05:09
actually create passwords for our study.
130
297104
3240
da kreiraju lozinke za našu studiju.
05:12
So we used a service called
Amazon Mechanical Turk,
Amazon Mechanical Turk,
131
300344
2821
Koristili smo servis koji se zove
Amazon Mechanical Turk.
Amazon Mechanical Turk.
05:15
and this is a service where you can post
132
303165
2334
To je servis na kojem se objavljuju
05:17
a small job online that takes a minute,
133
305499
2304
jednostavni poslovi koji traju minutu,
05:19
a few minutes, an hour,
134
307803
1500
nekoliko minuta ili sat,
05:21
and pay people, a penny, ten cents, a few dollars,
135
309303
2584
i plaćaju peni, 10 centi
ili nekoliko dolara,
ili nekoliko dolara,
05:23
to do a task for you,
136
311887
1346
ljudima nakon što izvrše zadatak.
05:25
and then you pay them through Amazon.com.
137
313233
2122
Plaćanje se odvija preko Amazona.
05:27
So we paid people about 50 cents
138
315355
2294
Mi smo ljudima plaćali oko 50 centi
05:29
to create a password following our rules
139
317649
2596
za stvaranje lozinki pod
određenim pravilima
određenim pravilima
05:32
and answering a survey,
140
320245
1410
i sudjelovanje u anketi.
05:33
and then we paid them again to come back
141
321655
2525
Ponovno smo im platili da se vrate
05:36
two days later and log in
142
324180
2071
za dva dana i ulogiraju
05:38
using their password and answering another survey.
143
326251
2574
koristeći lozinke i
odgovore na drugi upitnik.
odgovore na drugi upitnik.
05:40
So we did this, and we collected 5,000 passwords,
144
328825
4464
Tako smo prikupili 5.000 lozinki
05:45
and we gave people a bunch of different policies
145
333289
2695
uz hrpu različitih politika i pravila
05:47
to create passwords with.
146
335984
1508
za stvaranje lozinki.
05:49
So some people had a pretty easy policy,
147
337492
1910
Neki ispitanicu su imali
jednostavna pravila,
jednostavna pravila,
05:51
we call it Basic8,
148
339402
1539
nazvali smo ih Basic8,
05:52
and here the only rule was that your password
149
340941
2146
gdje je jedino pravilo bilo da lozinka
05:55
had to have at least eight characters.
150
343087
3416
ima najmanje osam znakova.
05:58
Then some people had a much harder policy,
151
346503
2251
Drugi su morali poštovati
kompliciranije politike,
kompliciranije politike,
06:00
and this was very similar to the CMU policy,
152
348754
2537
slične onima na CMU-u,
06:03
that it had to have eight characters
153
351291
1934
gdje je moralo biti osam znakova
06:05
including uppercase, lowercase, digit, symbol,
154
353225
2376
uključujući velika i mala slova,
broj i simbol,
broj i simbol,
06:07
and pass a dictionary check.
155
355601
2389
i proći provjeru rječnika.
06:09
And one of the other policies we tried,
156
357990
1335
Testirali smo još jednu politiku,
06:11
and there were a whole bunch more,
157
359325
1270
a bilo ih je puno više,
06:12
but one of the ones we tried was called Basic16,
158
360595
2240
bila je Basic16,
06:14
and the only requirement here
159
362835
2632
s pravilom da
06:17
was that your password had
to have at least 16 characters.
to have at least 16 characters.
160
365467
3153
lozinka mora imati najmanje 16 znakova.
06:20
All right, so now we had 5,000 passwords,
161
368620
2458
Dakle, skupili smo 5.000 lozinki,
06:23
and so we had much more detailed information.
162
371078
3563
imali smo detaljne informacije.
06:26
Again we see that there's only a small number
163
374641
2559
Ponovno smo uvidjeli da postoji mali
06:29
of symbols that people are actually using
164
377200
1915
broj simbola koje korisnici koriste
06:31
in their passwords.
165
379115
1886
u svojim lozinkama.
06:33
We also wanted to get an idea of how strong
166
381001
2599
Isto tako, željeli smo dobiti ideju
06:35
the passwords were that people were creating,
167
383600
2771
koliko jake lozinke korisnici kreiraju.
06:38
but as you may recall, there isn't a good measure
168
386371
2620
Ali, ako se sjećate, ne postoji
06:40
of password strength.
169
388991
1754
pouzdana mjera jačine lozinke.
06:42
So what we decided to do was to see
170
390745
2312
Zato smo odlučili otkriti
06:45
how long it would take to crack these passwords
171
393057
2370
koliko vremena treba za
razbijanje lozinke,
razbijanje lozinke,
06:47
using the best cracking tools
172
395427
1414
koristeći najbolje
alate za razbijanje lozinki,
alate za razbijanje lozinki,
06:48
that the bad guys are using,
173
396841
1808
a koje koriste loši momci.
06:50
or that we could find information about
174
398649
2016
I one o kojima smo
mogli pronaći informacije
mogli pronaći informacije
06:52
in the research literature.
175
400665
1537
u literaturi.
06:54
So to give you an idea of how bad guys
176
402202
2758
Kako loši momci
06:56
go about cracking passwords,
177
404960
2170
razbijaju lozinke?
06:59
they will steal a password file
178
407130
1951
Oni kradu datoteke s lozinkama
07:01
that will have all of the passwords
179
409081
2153
koje sadrže sve lozinke
07:03
in kind of a scrambled form, called a hash,
180
411234
2889
u šifriranom, haširanom obliku.
07:06
and so what they'll do is they'll make a guess
181
414123
2562
Tada pogađaju
07:08
as to what a password is,
182
416685
1712
koja je lozinka,
07:10
run it through a hashing function,
183
418397
1897
dešifriraju je pomoću hash funkcije
07:12
and see whether it matches
184
420294
1765
kako bi vidjeli poklapa li se
07:14
the passwords they have on
their stolen password list.
their stolen password list.
185
422059
3950
s lozinkama koje su prije ukradene.
07:18
So a dumb attacker will try every password in order.
186
426009
3105
Tako će glup napadač
probavati svaku lozinku po redu.
probavati svaku lozinku po redu.
07:21
They'll start with AAAAA and move on to AAAAB,
187
429114
3568
Početi će s AAAAA, pa nastavit s AAAAB,
07:24
and this is going to take a really long time
188
432682
2418
i tako će proći puno vremena
07:27
before they get any passwords
189
435100
1526
prije nego uspije otkriti lozinku.
07:28
that people are really likely to actually have.
190
436626
2697
za koju je izgledno da ju ljudi koriste.
07:31
A smart attacker, on the other hand,
191
439323
2183
Pametan napadač,
07:33
does something much more clever.
192
441506
1386
je puno mudriji.
07:34
They look at the passwords
193
442892
1826
On provjerava nalaze li se
07:36
that are known to be popular
194
444718
1800
popularne lozinke
07:38
from these stolen password sets,
195
446518
1727
među ukradenim setovima lozinki.
07:40
and they guess those first.
196
448245
1189
Njih će prve pogađati.
07:41
So they're going to start by guessing "password,"
197
449434
2134
Krenuti će s "password" (eng. lozinka),
07:43
and then they'll guess "I love you," and "monkey,"
198
451568
2751
nakon toga s "Volim te", "majmun"
07:46
and "12345678,"
199
454319
2583
i "12345678".
07:48
because these are the passwords
200
456902
1312
Jer su ovo lozinke koje
07:50
that are most likely for people to have.
201
458214
1905
će koristiti najviše ljudi.
07:52
In fact, some of you probably have these passwords.
202
460119
3261
Zapravo, vjerojatno netko
od vas ih vjerojatno ima.
od vas ih vjerojatno ima.
07:57
So what we found
203
465191
1298
Što smo otkrili
07:58
by running all of these 5,000 passwords we collected
204
466489
3406
testirajući tih 5000 lozinki
koje smo prikupili,
koje smo prikupili,
08:01
through these tests to see how strong they were,
205
469895
4106
kako bismo otkrili koliko su jake,
08:06
we found that the long passwords
206
474001
2752
jest to da su duge lozinke
08:08
were actually pretty strong,
207
476753
1280
poprilično jake,
08:10
and the complex passwords were pretty strong too.
208
478033
3262
isto kao i kompleksne.
08:13
However, when we looked at the survey data,
209
481295
2442
Međutim, kada smo
proučavali podatke iz anketa,
proučavali podatke iz anketa,
08:15
we saw that people were really frustrated
210
483737
3024
otkrili smo frustriranost ljudi
08:18
by the very complex passwords,
211
486761
2339
kompleksnim lozinkama,
08:21
and the long passwords were a lot more usable,
212
489100
2630
i duge lozinke su puno više primjenjive,
08:23
and in some cases, they were actually
213
491730
1325
a u nekim slučajevima,
08:25
even stronger than the complex passwords.
214
493055
2908
su i jače nego kompleksne.
08:27
So this suggests that,
215
495963
1169
Zaključak koji se nameće je da
08:29
instead of telling people that they need
216
497132
1703
umjesto zahtijevanja da
08:30
to put all these symbols and numbers
217
498835
1522
lozinke moraju sadržavati
08:32
and crazy things into their passwords,
218
500357
2842
sve te simbole, brojeve i lude stvari,
08:35
we might be better off just telling people
219
503199
2022
bolje bi bilo da zahtijevamo da
08:37
to have long passwords.
220
505221
2652
imaju duge lozinke.
08:39
Now here's the problem, though:
221
507873
1792
Ali, u ovome je problem:
08:41
Some people had long passwords
222
509665
2255
Neki ljudi su imali duge lozinke
08:43
that actually weren't very strong.
223
511920
1555
koje zapravo i nisu baš jake.
08:45
You can make long passwords
224
513475
1997
Možeš kreirati dugu lozinku
08:47
that are still the sort of thing
225
515472
1556
koju će napadač svejedno
08:49
that an attacker could easily guess.
226
517028
1742
vrlo lako pogoditi.
08:50
So we need to do more than
just say long passwords.
just say long passwords.
227
518770
3365
Tako da trebamo puno više
od samo duge lozinke.
od samo duge lozinke.
08:54
There has to be some additional requirements,
228
522135
1936
Moraju postojati još neki uvjeti
08:56
and some of our ongoing research is looking at
229
524071
2969
i istraživanje koje trenutno
provodimo promatra
provodimo promatra
08:59
what additional requirements we should add
230
527040
2439
koji su to dodatni uvjeti
koje moramo dodati
koje moramo dodati
09:01
to make for stronger passwords
231
529479
2104
za jake lozinke,
09:03
that also are going to be easy for people
232
531583
2312
koje će bit lako pamtljive
09:05
to remember and type.
233
533895
2698
i koje će biti lako upisivati.
09:08
Another approach to getting people to have
234
536593
2126
Jedan od pristupa je
09:10
stronger passwords is to use a password meter.
235
538719
2257
korištenje lozinkomjera.
09:12
Here are some examples.
236
540976
1385
Evo nekih primjera.
09:14
You may have seen these on the Internet
237
542361
1401
Možda ste to vidjeli na Internetu
09:15
when you were creating passwords.
238
543762
3057
kada kreirate lozinke.
09:18
We decided to do a study to find out
239
546819
2248
Istraživali smo
09:21
whether these password meters actually work.
240
549067
2887
funkcioniraju li ti lozinkomjeri.
09:23
Do they actually help people
241
551954
1421
Pomažu li korisnicima
09:25
have stronger passwords,
242
553375
1453
pri kreiranju jačih lozinki,
09:26
and if so, which ones are better?
243
554828
2086
i ako da, koje su bolje?
09:28
So we tested password meters that were
244
556914
2507
Testirali smo te lozinkomjere
09:31
different sizes, shapes, colors,
245
559421
2098
različitih veličina, oblika, boja
09:33
different words next to them,
246
561519
1416
s različitim riječima,
09:34
and we even tested one that was a dancing bunny.
247
562935
3275
čak smo i testirali onog koji
je u obliku zečića koji pleše.
je u obliku zečića koji pleše.
09:38
As you type a better password,
248
566210
1582
Što je lozinka bolja
09:39
the bunny dances faster and faster.
249
567792
2539
zeko pleše brže i brže.
09:42
So this was pretty fun.
250
570331
2529
Ovo je bilo zabavno.
09:44
What we found
251
572860
1567
Otkrili smo da
09:46
was that password meters do work.
252
574427
3572
lozinkomjeri zbilja funkcioniraju.
09:49
(Laughter)
253
577999
1801
(Smijeh)
09:51
Most of the password meters were actually effective,
254
579800
3333
Većina njih je zapravo vrlo učinkovita,
09:55
and the dancing bunny was very effective too,
255
583133
2521
čak i zeko koji pleše je učinkovit,
09:57
but the password meters that were the most effective
256
585654
2881
ali oni koji su najučinkovitiji
10:00
were the ones that made you work harder
257
588535
2355
su oni koji te natjeraju na razmišljanje
10:02
before they gave you that thumbs up and said
258
590890
1980
prije nego ti daju odobrenje
10:04
you were doing a good job,
259
592870
1377
i pohvale te.
10:06
and in fact we found that most
260
594247
1512
Saznali smo da je većina
10:07
of the password meters on the Internet today
261
595759
2281
lozinkomjera na Internetu danas
10:10
are too soft.
262
598040
952
previše popustljiva.
10:10
They tell you you're doing a good job too early,
263
598992
2203
Prerano će te pohvaliti,
10:13
and if they would just wait a little bit
264
601195
1929
a da pričekaju samo malo
10:15
before giving you that positive feedback,
265
603124
2049
s pozitivnom povratnom informacijom,
10:17
you probably would have better passwords.
266
605173
3160
vjerojatno biste imali bolje lozinke.
10:20
Now another approach to better passwords, perhaps,
267
608333
3847
Drugi pristup za kreiranje
boljih lozinki, je možda,
boljih lozinki, je možda,
10:24
is to use pass phrases instead of passwords.
268
612180
2890
korištenje frazi umjesto lozinki.
10:27
So this was an xkcd cartoon
from a couple of years ago,
from a couple of years ago,
269
615070
3418
Ovo je xkcd strip star nekoliko godina
10:30
and the cartoonist suggests
270
618488
1674
gdje crtač predlaže
10:32
that we should all use pass phrases,
271
620162
2196
da bismo trebali
koristiti fraze kao lozinke,
koristiti fraze kao lozinke,
10:34
and if you look at the second row of this cartoon,
272
622358
3170
i ako pogledate drugi red crteža,
10:37
you can see the cartoonist is suggesting
273
625528
1857
vidjeti ćete crtačevu ideju
10:39
that the pass phrase "correct horse battery staple"
274
627385
3441
da bi fraza
"ispravan konj baterija spajalica"
"ispravan konj baterija spajalica"
10:42
would be a very strong pass phrase
275
630826
2481
bila vrlo jaka fraza-lozinka
10:45
and something really easy to remember.
276
633307
1916
i lako pamtljiva.
10:47
He says, in fact, you've already remembered it.
277
635223
2797
On kaže, zapravo,
da ste je već zapamtili.
da ste je već zapamtili.
10:50
And so we decided to do a research study
278
638020
2150
Tako smo se odlučili za istraživanje
10:52
to find out whether this was true or not.
279
640170
2592
kako bismo otkrili je li to istina.
10:54
In fact, everybody who I talk to,
280
642762
1775
Zapravo, svi s kojima sam razgovarala,
10:56
who I mention I'm doing password research,
281
644537
2042
a spomenula sam im istraživanje
10:58
they point out this cartoon.
282
646579
1400
su spomenuli taj strip.
10:59
"Oh, have you seen it? That xkcd.
283
647979
1574
"Vidjela si ga? Taj xkcd.
11:01
Correct horse battery staple."
284
649553
1602
Ispravan konj baterija spajalica."
11:03
So we did the research study to see
285
651155
1806
Proveli smo istraživanje
11:04
what would actually happen.
286
652961
2359
kako bismo vidjeli što bi se dogodilo.
11:07
So in our study, we used Mechanical Turk again,
287
655320
3060
Ponovno smo koristili Mechanical Turk,
11:10
and we had the computer pick the random words
288
658380
4167
a računalo je nasumice izabiralo riječi
11:14
in the pass phrase.
289
662547
1100
za frazu-lozinku.
11:15
Now the reason we did this
290
663647
1153
Razlog za to je taj
11:16
is that humans are not very good
291
664800
1586
što ljudi nisu osobito dobri
11:18
at picking random words.
292
666386
1384
u odabiru slučajnih i nasumičnih riječi.
11:19
If we asked a human to do it,
293
667770
1262
Da smo ljude pitali da ih sami odaberu,
11:21
they would pick things that were not very random.
294
669032
2998
oni bi odabrali riječi koje
nisu nimalo nasumične.
nisu nimalo nasumične.
11:24
So we tried a few different conditions.
295
672030
2032
Koristili smo nekoliko uvjetovanja.
11:26
In one condition, the computer picked
296
674062
2090
U jednom je računalo odabiralo
11:28
from a dictionary of the very common words
297
676152
2216
iz rječnika vrlo čestih riječi
11:30
in the English language,
298
678368
1362
u engleskom jeziku,
11:31
and so you'd get pass phrases like
299
679730
1764
pa smo dobili fraze-lozinke kao što je
11:33
"try there three come."
300
681494
1924
"probati ondje tri dolaze".
11:35
And we looked at that, and we said,
301
683418
1732
Kada smo to vidjeli, pomislili smo
11:37
"Well, that doesn't really seem very memorable."
302
685150
3050
da se to ne čini baš jako pamtljivo.
11:40
So then we tried picking words
303
688200
2240
Nakon toga smo odabirali riječi
11:42
that came from specific parts of speech,
304
690440
2521
koje dolaze iz specifičnih
dijelova govora,
dijelova govora,
11:44
so how about noun-verb-adjective-noun.
305
692961
2182
i formu imenica-glagol-pridjev-imenica.
11:47
That comes up with something
that's sort of sentence-like.
that's sort of sentence-like.
306
695143
2577
To je sada već izgledalo kao rečenica.
11:49
So you can get a pass phrase like
307
697720
2070
Fraze-lozinke su zvučale kao
11:51
"plan builds sure power"
308
699790
1308
"plan gradi sigurnu energiju"
11:53
or "end determines red drug."
309
701098
2786
ili "kraj određuje crveni lijek".
11:55
And these seemed a little bit more memorable,
310
703884
2676
Ove su se činile više pamtljive,
11:58
and maybe people would like those a little bit better.
311
706560
2822
možda će se ispitanicima više svidjeti.
12:01
We wanted to compare them with passwords,
312
709382
2572
Željeli smo ih usporediti s lozinkama,
12:03
and so we had the computer
pick random passwords,
pick random passwords,
313
711954
3196
imali smo računalo koje generira lozinke
12:07
and these were nice and short, but as you can see,
314
715150
1990
koje, iako su bile kratke i drage,
12:09
they don't really look very memorable.
315
717140
2806
nisu izgledale jako pamtljive.
12:11
And then we decided to try something called
316
719946
1396
Odlučili smo probati nešto što se zove
12:13
a pronounceable password.
317
721342
1646
izgovorljiva lozinka.
12:14
So here the computer picks random syllables
318
722988
2245
Računalo odabire slučajne slogove
12:17
and puts them together
319
725233
1134
i slaže ih zajedno
12:18
so you have something sort of pronounceable,
320
726367
2475
tako da se dobije nešto
što je donekle izgovorljivo
što je donekle izgovorljivo
12:20
like "tufritvi" and "vadasabi."
321
728842
2602
kao "tufritvi" i "vadasabi".
12:23
That one kind of rolls off your tongue.
322
731444
2147
Na tome se zbilja lomi jezik.
12:25
So these were random passwords that were
323
733591
2216
To su bile nasumične lozinke koje
12:27
generated by our computer.
324
735807
2744
je generiralo računalo.
12:30
So what we found in this study was that, surprisingly,
325
738551
2978
Ono što smo otkrili bilo je iznenađujuće
12:33
pass phrases were not actually all that good.
326
741529
3768
fraze-lozinke nisu se iskazale.
12:37
People were not really better at remembering
327
745297
2793
Ispitanici nisu bolje pamtili
12:40
the pass phrases than these random passwords,
328
748090
2953
fraze-lozinke od onih nasumičnih lozinki.
12:43
and because the pass phrases are longer,
329
751043
2754
A kako su bile i duže,
12:45
they took longer to type
330
753797
1226
bilo je potrebno puno više
vremena za njihovo upisivanje
vremena za njihovo upisivanje
12:47
and people made more errors while typing them in.
331
755023
3010
i ispitanici su radili više
greški dok su ih upisivali.
greški dok su ih upisivali.
12:50
So it's not really a clear win for pass phrases.
332
758033
3227
Tako da fraze-lozinke nisu pobijedile.
12:53
Sorry, all of you xkcd fans.
333
761260
3345
Žao mi je, xkcd fanovi.
12:56
On the other hand, we did find
334
764605
1892
S druge strane, otkrili smo
12:58
that pronounceable passwords
335
766497
1804
da su izgovorljive lozinke
13:00
worked surprisingly well,
336
768301
1471
funkcionirale jako dobro
13:01
and so we actually are doing some more research
337
769772
2418
tako da radimo još jedno istraživanje
13:04
to see if we can make that
approach work even better.
approach work even better.
338
772190
3195
kako bismo otkrili možemo
li tako riješiti bolje problem.
li tako riješiti bolje problem.
13:07
So one of the problems
339
775385
1812
Jedan od problema
13:09
with some of the studies that we've done
340
777197
1623
s tim istraživanjima je
13:10
is that because they're all done
341
778820
1683
taj što su rezultati dobiveni
13:12
using Mechanical Turk,
342
780503
1590
pomoću Mechanical Turka,
13:14
these are not people's real passwords.
343
782093
1812
odnosno, to nisu prave lozinke.
13:15
They're the passwords that they created
344
783905
2105
To su lozinke koje koje su
korisnici kreirali
korisnici kreirali
13:18
or the computer created for them for our study.
345
786010
2495
ili je računalo generiralo
za potrebe istraživanja.
za potrebe istraživanja.
13:20
And we wanted to know whether people
346
788505
1568
Mi smo željeli znati bi li se
13:22
would actually behave the same way
347
790073
2312
ispitanici jednako ponašali
13:24
with their real passwords.
348
792385
2227
kada bi morali kreirati prave lozinke.
13:26
So we talked to the information
security office at Carnegie Mellon
security office at Carnegie Mellon
349
794612
3681
Zato smo razgovarali s Uredom
za informacijsku sigurnost na CMU-u
za informacijsku sigurnost na CMU-u
13:30
and asked them if we could
have everybody's real passwords.
have everybody's real passwords.
350
798293
3803
i pitali ih možemo li dobiti
prave lozinke korisnika.
prave lozinke korisnika.
13:34
Not surprisingly, they were a little bit reluctant
351
802096
1754
Nije iznenađenje da nisu
13:35
to share them with us,
352
803850
1550
željeli podijeliti ih s nama,
13:37
but we were actually able to work out
353
805400
1810
ali smo uspjeli smisliti
13:39
a system with them
354
807210
1040
sustav s njima
13:40
where they put all of the real passwords
355
808250
2109
u kojem su sve prave lozinke
13:42
for 25,000 CMU students, faculty and staff,
356
810359
3091
25.000 studenata, profesora i osoblja,
13:45
into a locked computer in a locked room,
357
813450
2448
pohranili u zaključano računalo,
u zaključanu sobu,
u zaključanu sobu,
13:47
not connected to the Internet,
358
815898
1394
koja nije povezana na Internet,
13:49
and they ran code on it that we wrote
359
817292
1848
i provukli kroz kod koji smo mi napisali
13:51
to analyze these passwords.
360
819140
2152
za analizu lozinki.
13:53
They audited our code.
361
821292
1326
Oni su provjerili naš kod.
13:54
They ran the code.
362
822618
1312
Oni su ubacili kod.
13:55
And so we never actually saw
363
823930
1738
Tako da mi zapravo nismo vidjeli
13:57
anybody's password.
364
825668
2817
ničiju lozinku.
14:00
We got some interesting results,
365
828485
1515
Dobili smo zanimljive rezultate.
14:02
and those of you Tepper students in the back
366
830000
1696
Studentima na Tepperu, koji sjede iza
14:03
will be very interested in this.
367
831696
2875
će ovo biti jako zanimljivo.
14:06
So we found that the passwords created
368
834571
3731
Dakle, otkrili smo da su
lozinke koje su kreirali
lozinke koje su kreirali
14:10
by people affiliated with the
school of computer science
school of computer science
369
838302
2158
studenti informatike
14:12
were actually 1.8 times stronger
370
840460
2324
1,8 puta jače
14:14
than those affiliated with the business school.
371
842784
3738
od onih koje su kreirali
studenti ekonomije.
studenti ekonomije.
14:18
We have lots of other really interesting
372
846522
2040
Također smo dobili puno zanimljivih
14:20
demographic information as well.
373
848562
2238
demografskih informacija.
14:22
The other interesting thing that we found
374
850800
1846
Zanimljivo je otkriće da
14:24
is that when we compared
the Carnegie Mellon passwords
the Carnegie Mellon passwords
375
852646
2440
kada smo usporedili lozinke sveučilišta
14:27
to the Mechanical Turk-generated passwords,
376
855086
2283
s onima s Mechanical Turka,
14:29
there was actually a lot of similarities,
377
857369
2619
pronašli smo puno sličnosti.
14:31
and so this helped validate our research method
378
859988
1948
To je potvrdilo naše istraživačke metode
14:33
and show that actually, collecting passwords
379
861936
2510
i pokazalo da je prikupljanje lozinki
14:36
using these Mechanical Turk studies
380
864446
1808
za istraživanje
koristeći Mechanical Turk
koristeći Mechanical Turk
14:38
is actually a valid way to study passwords.
381
866254
2788
dobar način za proučavanje lozinki.
14:41
So that was good news.
382
869042
2285
To su bile dobre vijesti.
14:43
Okay, I want to close by talking about
383
871327
2414
U redu, željela bih zaključiti
14:45
some insights I gained while on sabbatical
384
873741
2068
s nekoliko stvari koje sam uvidjela
dok sam bila prošle godine
dok sam bila prošle godine
14:47
last year in the Carnegie Mellon art school.
385
875809
3201
na slobodnoj godini na umjetničkom
odsjeku Carnegie Mellon-a.
odsjeku Carnegie Mellon-a.
14:51
One of the things that I did
386
879010
1281
Jedna od stvari koje sam napravila
14:52
is I made a number of quilts,
387
880291
1524
je da sam napravila nekoliko popluna.
14:53
and I made this quilt here.
388
881815
1548
I ovaj ovdje.
14:55
It's called "Security Blanket."
389
883363
1899
Zove se "Sigurnosna dekica".
14:57
(Laughter)
390
885262
2431
(Smijeh)
14:59
And this quilt has the 1,000
391
887693
3095
Taj poplun ima 1.000
15:02
most frequent passwords stolen
392
890788
2328
lozinki koje se najčešće ukradu,
15:05
from the RockYou website.
393
893116
2571
a nalaze se na stranici RockYou.
15:07
And the size of the passwords is proportional
394
895687
2061
Veličina lozinke je proporcionalna
15:09
to how frequently they appeared
395
897748
1901
učestalosti njezina pojavljivanja
15:11
in the stolen dataset.
396
899649
2248
u setovima ukradenih lozinki.
15:13
And what I did is I created this word cloud,
397
901897
2632
Stvorila sam ovaj oblak riječi,
15:16
and I went through all 1,000 words,
398
904529
2132
proučila svih tih 1.000 riječi,
15:18
and I categorized them into
399
906661
1795
i kategorizirala ih
15:20
loose thematic categories.
400
908456
2380
u okvirne tematske kategorije.
15:22
And it was, in some cases,
401
910836
1903
U nekim slučajevima
15:24
it was kind of difficult to figure out
402
912739
2038
je bilo teško odrediti
15:26
what category they should be in,
403
914777
1755
kojoj bi kategoriji trebali pripadati.
15:28
and then I color-coded them.
404
916532
1899
Isto tako sam im pridružila boju.
15:30
So here are some examples of the difficulty.
405
918431
2619
Ovo je nekoliko primjera onih teških.
15:33
So "justin."
406
921050
1181
Na primjer "justin".
15:34
Is that the name of the user,
407
922231
1829
Je li to ime korisnika,
15:36
their boyfriend, their son?
408
924060
1322
korisnikova dečka ili sina?
15:37
Maybe they're a Justin Bieber fan.
409
925382
2888
Možda je korisnik
samo fan Justina Bibera.
samo fan Justina Bibera.
15:40
Or "princess."
410
928270
2225
Ili "princess".
15:42
Is that a nickname?
411
930495
1635
Je li to nadimak?
15:44
Are they Disney princess fans?
412
932130
1595
Ili se radi o fanu princeza
iz Disneyjevih bajki.
iz Disneyjevih bajki.
15:45
Or maybe that's the name of their cat.
413
933725
3694
Može biti i ime mačke.
15:49
"Iloveyou" appears many times
414
937419
1655
"Volimte" se često pojavljuje
15:51
in many different languages.
415
939074
1545
na različitim jezicima.
15:52
There's a lot of love in these passwords.
416
940619
3735
Puno je ljubavi u lozinkama.
15:56
If you look carefully, you'll see there's also
417
944354
1680
Ako pažljivo promatrate,
15:58
some profanity,
418
946034
2267
vidjeti ćete i vulgarnosti.
16:00
but it was really interesting to me to see
419
948301
1950
Ali mi je zanimljivo vidjeti
16:02
that there's a lot more love than hate
420
950251
2307
da je puno više ljubavi nego mržnje
16:04
in these passwords.
421
952558
2292
u lozinkama.
16:06
And there are animals,
422
954850
1490
Također, tu su i životinje,
16:08
a lot of animals,
423
956340
1360
puno je životinja,
16:09
and "monkey" is the most common animal
424
957700
2304
"majmun" je najčešća životinja
16:12
and the 14th most popular password overall.
425
960004
3675
i 14. najpopularnija lozinka ukupno.
16:15
And this was really curious to me,
426
963679
2231
A to mi je bilo jako zanimljivo,
16:17
and I wondered, "Why are monkeys so popular?"
427
965910
2523
pitala sam se zašto su
majmuni toliko popularni.
majmuni toliko popularni.
16:20
And so in our last password study,
428
968433
3352
Zato smo u zadnjem istraživanju,
16:23
any time we detected somebody
429
971785
1686
svaki put kada bismo detektirali
16:25
creating a password with the word "monkey" in it,
430
973471
2649
kreiranje lozinke s riječi "majmun",
16:28
we asked them why they had
a monkey in their password.
a monkey in their password.
431
976120
3030
pitali ispitanika zašto njihova
lozinka ima majmuna u sebi.
lozinka ima majmuna u sebi.
16:31
And what we found out --
432
979150
1910
i otkrili smo,
16:33
we found 17 people so far, I think,
433
981060
2103
mislim da zasada imamo 17-tero njih,
16:35
who have the word "monkey" --
434
983163
1283
s riječi "majmun" u lozinki.
16:36
We found out about a third of them said
435
984446
1812
Otkrili smo da trećina njih
16:38
they have a pet named "monkey"
436
986258
1740
ima ljubimca koji se zove "majmun",
16:39
or a friend whose nickname is "monkey,"
437
987998
2291
ili prijatelja čiji je nadimak "majmun".
16:42
and about a third of them said
438
990289
1660
Trećina njih je rekla
16:43
that they just like monkeys
439
991949
1533
da vole majmune
16:45
and monkeys are really cute.
440
993482
1638
i da su im oni baš slatki.
16:47
And that guy is really cute.
441
995120
3639
Ovaj stvarno je sladak.
16:50
So it seems that at the end of the day,
442
998759
3408
Tako, sve u svemu, čini se da
16:54
when we make passwords,
443
1002167
1783
kada kreiramo lozinke,
16:55
we either make something that's really easy
444
1003950
1974
mi ili smislimo nešto
što je vrlo jednostavno
što je vrlo jednostavno
16:57
to type, a common pattern,
445
1005924
3009
za napisati, nekakav poznati uzorak,
17:00
or things that remind us of the word password
446
1008933
2486
ili nešto na što nas
podsjeća riječ lozinka,
podsjeća riječ lozinka,
17:03
or the account that we've created the password for,
447
1011419
3312
ili račun za koji stvaramo lozinku.
17:06
or whatever.
448
1014731
2617
ili kakogod.
17:09
Or we think about things that make us happy,
449
1017348
2642
Ili razmišljamo o stvarima
koje nas čine sretnima
koje nas čine sretnima
17:11
and we create our password
450
1019990
1304
pa kreiramo lozinke
17:13
based on things that make us happy.
451
1021294
2238
bazirane na stvarima
koje nas čine sretnima.
koje nas čine sretnima.
17:15
And while this makes typing
452
1023532
2863
Iako je time upisivanje
17:18
and remembering your password more fun,
453
1026395
2870
i prisjećanje lozinke, zabavnije,
17:21
it also makes it a lot easier
454
1029265
1807
također je i jednostavnije
17:23
to guess your password.
455
1031072
1506
tako pogoditi vašu lozinku.
17:24
So I know a lot of these TED Talks
456
1032578
1748
Znam da je smisao TEDTalk-a
17:26
are inspirational
457
1034326
1634
da vas inspiriraju
17:27
and they make you think about nice, happy things,
458
1035960
2461
i da mislite o lijepim, stvarima
koje vas čine sretnim,
koje vas čine sretnim,
17:30
but when you're creating your password,
459
1038421
1897
ali kada kreirate lozinku,
17:32
try to think about something else.
460
1040318
1991
pokušajte razmišljati o nečemu drugome.
17:34
Thank you.
461
1042309
1107
Hvala.
17:35
(Applause)
462
1043416
553
(Pljesak)
ABOUT THE SPEAKER
Lorrie Faith Cranor - Security researcherAt Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online.
Why you should listen
Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, phishing, spam, electronic voting, anonymous publishing, and other topics.
Cranor plays a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P. She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review.
Lorrie Faith Cranor | Speaker | TED.com