ADM-201 dump PMP dumps pdf SSCP exam materials CBAP exam sample questions

用Diceware生成高强度密码 – 译学馆
未登录,请登录后再发表信息
最新评论 (0)
播放视频

用Diceware生成高强度密码

Diceware & Passwords - Computerphile

我们已经做了好几个
We’ve done a few videos
关于密码 密码破解 选择良好的密码的视频了
on passwords, cracking passwords, choosing good passwords.
很多人通过邮件 推特
And I’ve had had a few requests both by email,
或者评论要求我
and you know Twitter and on in the comments about a
选择一种叫做Diceware的密码机制
choosing a password mechanism called Diceware.
那么我们可以关注一下这个
So I thought we’d look at
并思考一下这个用来有意思的
this and think what’s the pros and cons
设置密码系统的优缺点
of this of this quite interesting system for choosing passwords.
这个是我拿来用的
So here’s my nice unbiased casino dice
没有做过手脚的赌场骰子
that I got just for this occasion.
很明显我很激动因为
I was quite excited apparently this
这个骰子可以随机地扔出一个6
this dice is not biased towards rolling a six,
其实这意味着我掷骰子的水平下降了(作者超自信可以随随便便扔出一个6)
which actually would just mean my performance in games goes down.
当我们上次谈到密码时
When we spoke about passwords last time,
我假定的密码机制是
my hypothetical password mechanism was something
4个随机的单词
like four random words with a bit of
然后可能在单词中间随机地加一点
symbolic, symbols added in maybe randomly
象征性符号
in the middle of a word.
我选择它是因为这个机制
Now I chose that because I felt it was a
是在输入很长的密码
a nice compromise between having to type something in
和选一个记起来不是很难
that’s really, really long, or
但是很难破解的密码
and having something that’s not too hard to remember,
之间的折衷
but also quite hard to break.
现在Diceware在某种程度上和这个方案很像
Now Diceware is in some sense quite similar to this scheme.
但是它被更精确地设定了破解的困难程度
But it’s perhaps more mathematically defined exactly how hard it is to break.
这就是人们为什么喜欢它了
Which is why people like it.
因为在我的方案里
Because I think the question comes down to in my scheme,
如果我随机挑选4个单词
if I pick four random words,
它们到底有多随机呢?
how random are those words truly?
如果黑客想要暴力破解我的密码
If an attacker wanted to brute forth my password,
然后他们知道比如
then and they know for example
我正在把4个单词凑在一起
that I’m using four words appended together.
然后他们需要做的就是
Then what they’re going to want to do
试着列出我可能会用的
is try and work out the list of all the words
所有单词
I might have used.
现在 我试着通过加入
Now I try and throw them off a bit
有点古怪的单词来甩掉他们 我有点古怪
by using slightly odd words, but I’m a bit weird.
但是对于大多数人而言 我们假设这个国家的每一个人
But for the majority people let’s imagine that everyone in the country
这个世上的每个人都使用我的密码方案
where everyone in the world is using this password scheme,
很多人会挑非常简单的单词
lots of people are going to pick really easy words.
回到好马电池订书钉这件事
You know back to the correct horse battery staple thing,
Xkcd里提到了它 我们待会儿将会讨论这个
Xkcd alluded to this and we’ll talk about that in a minute.
它并没有解答所有问题
But it didn’t necessarily answer every question
但它提供了关于密码破解的相关信息
but it did get a good message across.
信息熵或可能被选择的单词量
The entropy or the number of possible words that you’ve chosen
会因人而异 对吧
is gonna differ from person to person. Right?
如果我选择的其中一个单词是‘database’
If one of my words I pick is ‘database’,
这会是因为我是随机选择的吗?
is that because I’ve picked that right out at random?
或者是因为这本书里出现了‘database’
Or is it because it says”databases” on this book up here,
然后我碰巧用余光扫见了它吗?
and I accidentally saw it in the corner of my eye.
镜头不要对向那儿 上面没有书
Don’t pan to the bit with no books on it.
额 我只是在看
Yeah, I’m just looking at
你收藏的魔方 就是这样
your collection of cubes. All solved!
我就是这么做的
That’s how I roll.
那么Diceware是做什么的?网站在1995年
So what Diceware does? The website was established in 1995 by
被一个叫做Weinhold的美国人建立
a guy called Weinhold from the United States.
它通过
What it is is a way
掷骰子来确保
of using dice to ensure that
你挑选的单词是随机的
the words you’re picking are actually random rather than
而不是你认为的随机
just what you think is random.
他们很巧妙地设定了那个方法
And that way we have a very nicely defined.
我们可以这么说 暴力破解这个密码在数学上很困难
Should we say mathematical difficulty for brute forcing that password?
那么这是Diceware列表
So this is the Diceware list,
但是我猜由于骰子点数有限 这也是一种折衷方法
but I guess it’s a kind of compromise between the number of dice.
你只要不停地掷骰子
You just have to roll incessantly
很快就能得到密码
to come up with passwords and being fairly quick.
但是这里有7776个单词
But there are 7776 words on this,
它们来自5次掷骰子形成的
which is all the different combinations
不同组合 对吧
of five dice rolls, right?
这就是我为什么要一个随机的骰子了
Now so that’s why I’ve got my nice unbiased dice.
比如说我不想要结果
We don’t wanna be accidentally biasing me
出现偏差
towards the end of this document for example.
那么作为示例 我们来掷骰子吧
So as an example we roll the dice.
是5
It’s a 5.
每个单词前有5个数字
Each of these has 5 numbers
分别来自1到6中的任意一个
from 1 to 6 in front of the word.
这决定了你该挑选哪一个单词
Which tells you which words are going to pick.
那么这是有4个数字的 我要找有5个数字的
So these are the fours, I’m on to the five, says.
这里开始是5个数字的单词
There’s the start of the fives there,
然后再次掷骰子
Then roll the dice again.
是6
It’s a 6.
那么我要找到5-6开头的 在这儿
So I’m now on to the five-sixes which is here.
再来一次
And then again,
5 6 4 5 1
5 6 4, 5, 1.
5 6 4 5 1是单词‘tapir’
5 6 4 5 1 is the word ‘tapir’.
这是一种有着长鼻子的动物
Whereas in the animal with the snout.
那么这是我密码的第一个单词
So that’s the first word of my password.
我先写下来
So let me write that down.
这要好一会儿
This could take a little while.
到了需要你展示
This is where you need to use
视频剪辑技能的时候了 ‘tapir’ 对吧
all of your video editing skills ‘tapir’. Right.
再来做一遍
Let’s do this again
好吧 1 3 2 1 3
Okay, 1 3 2 1 3.
如果你做了很多次了
If you’ve done this a lot of times,
可能会做得快一点 1 3 2 1 3
maybe it’d be faster. 1 3 2 1 3.
找到了 ‘backup’ 很好
There we are, ‘backup’, nice.
5 1 3 3
5 1 3 3.
什么数字啊?1 5 1 3 3 1
What is it? 1 5 1 3 3 1.
你还要来几遍啊?
How many times have you got to do this?
好问题 ‘rand’ 有意思 ‘r-a-n-d’
Good question.’rand’, interesting.’r-a-n-d’.
额 这是南非的货币?对吗?
Ah, South African currency? Yeah?
这也是单词‘random’的缩短版
And also short for ‘random’,
这是我们正在写的单词
which is what we’re doing now.
5 2 4 6 2 ‘rw’ 有意思 读和写 对的
5 2 4 6 2 ‘rw’ interesting, read/write. Yeah?
并不是所有单词都是完整词(还有些是缩写的)
So not all of these are full words.
就是这样
That’s one of the thing that’s quite about this.
3 6 要掷第3次了 太激动了 3 6 4
3 6 having been into 3. It’s quite exciting. 3 6 4
2 2 3 6 4 2 2
2 2, 3 6 4 2 2.
结果保证是随机的
They’re guaranteed to be unbiased I think.
但是我是从网上很便宜地得到了这个
But then I got them cheaply off the internet.
所以其实我也不很确定(到底是否随机)
So I don’t actually know.
好了 那么我们停了吧
Okay, so let’s let’s stop.
结束
Let’s stop there.
我已经完成了 得到了5个单词
I’ve done. I’ve got five words.
现在 这个密码很不错吧?
Right now. Is this password really good?
那么当你在挑选密码的时候
Well the first thing to notice
第1件值得注意
but what you don’t want to do when
然而你并不乐意做的事 就是用视频把它录下来
you’re picking a password is record it on
并上传到网上
video and show it on the internet.
那么我真正的密码可能不会用这个
So I probably won’t put this as my actual password.
但是有小部分人也会这么做的
But there will be a few people that try nonetheless.
每个单词我们要掷5次骰子
We’ve rolled the dice five times per word,
找到单词然后在单词间加一些空格
we find the word and then we put spaces in
这就是我们的密码 对吧
between it and that’s our passphrase, right?
无论用于哪个账号这就是我们的密码了
So that is literally our password then for whatever purpose we want.
为什么这个密码机制比我之前的好呢?
Why is this better than what I was doing?
主要是 它是与众不同的
Well, it’s different, mostly.
我们要问几个问题 对吧
There’s a few questions we’ve got, right?
第一个问题是“这个密码有合理的强度吗”
The first is that “Is this a reasonable password in terms of strength?”
“这个密码输入起来方便吗” 对吧
Also,”How practical is it to type in?” Right?
生成密码要费一些时间
It took a little while to generate.
但是如果你在密码管理器的前端
But if you’re doing it a couple of times
多输几次
for the front end of a password manager,
或许这也不是很难的一件事
maybe that’s not such a big deal.
有一件值得注意的事情是
One thing that’s worth noting is that
并不是所有单词都是英语形式的
this isn’t all the words in the English language.
这些是精挑细选出来的7700个单词
This is this is a carefully chosen 7700 words,
但是浓缩就是精华
but a knife is short.
所以大多数单词都少于5个字母
So most of the words are fewer than 5 characters.
有一些非常短的单词
There’s a few really short ones the idea being
那么就算你的密码由5或6个单词组成
that even if you’ve got a 5 word or 6 word passphrase,
整个密码也不会很长
it’s never going to get that long.
你可以快速地输入密码
You should get quite quickly typing it in.
但是这个系统真正牛逼的地方是
But the real benefit of this system is that
单词是完全随机的
these are actually random as opposed to
而不是我印象中的随机
what I’ve perceived to be random.
因为当我脑海中闪现一个单词
Because I thought of a word in my head,
这可能是今天早上我在
which might have been a word that I happen
公交车上看到的
to see on the side of a bus this morning.
在之前的视频中我们讨论过暴力破解
In the previous videos we talked about brute forcing,
讨论在不知道任何字符的前提下
about not you knowing what any
我们是如何让
of the characters were and how we make it
黑客通过常用单词字典
easier for the attacker by using a
更加容易地破解密码的 对吧
dictionary of known words. Yeah.
那么这正好为黑客提供了字典 对吧
So this is literally providing dictionary. Right. Yeah.
这在某种程度上是缺点 也是一种优势
That’s the drawback in some sense and the strength.
那么我们清清楚楚地知道了密码里会出现什么单词
So we know exactly what words could appear in my passphrase.
但是就算如此我们仍然不能破解密码
But even so we still can’t break it
因为可用的单词太多了
because I’ve used too many of them.
所以在某些密码方案里
So in some password schemes
比如我从大脑中
like ones where I pick words at random
随机浮现的单词中挑选作为密码
from a dictionary in my own brain,
我是在假定下挑选单词的
I’m working under the assumption,
但是这很安全因为没有人知道我是怎么挑选的
but that’s secure because no else knows how it works.
没人可以倒推出那个过程
No one can reverse-engineer that process.
这可能是对的 也可能不是
That might be true, it might not be true.
它取决于你有多了解我
It depends how well you know me.
这个密码生成流程是完全公开的
This, the process is extremely open
每个人都知道密码列表长什么样
everyone knows what the password list was.
每个人都知道我的密码将会是什么样子
Everyone knows what my password is going to be like.
但是他们仍然不能破解
But they still can’t break it,
因为这是2的64次方次操作
because it’s 2 to the 64 operations,
量太大了 我们不想要隐藏式安全性
which is too much. What we don’t want
对吧 如果我用了
is security through obscurity, right. If I use it
如果我用了一个只有500个单词的字典 对吧
if I only use a 500 word dictionary, right,
只要我保密就没问题了
that’s fine as long as I keep
但是这看起来不是一个很好的方法
that dictionary secret. But I doesn’t seem like a
因为然后那个字典可能
very good idea. Because then that dictionary might
被意外泄露了
accidentally come out,
然后破解密码就变得非常简单了
and then it would be incredibly easy to break my password.
那么这个密码的强度有多大呢?
So what is the strength of this password?
额 一共有7776个单词 对吧
well each of these words has come from 7776 right.
那么我们假设黑客知道
So we can assume that the attacker knows,
我正在使用这个密码方案
but I’m using this password scheme.
他们知道我的密码是
So they know my password is 5 words
5个被空格间隔开的单词
separated by spaces which adds nothing,
因为他们知道空格
because they know what the spaces are
不属于7776个单词之一
out of a possible 7776.
那么密码的强度实际上是
So the strength of this password
7776的5次方
is actually 7 7 7 6 to the 5.
那么另一个判断密码强度的方法
So another way of looking
不是看它有多少比特的熵
at it isn’t how many bits of entropy does this password have.
而是要花多少时间去破解
A lot of the time, that’s how we view passwords.
每个单词是12.9比特
Each of these words is 12 point 9 bits.
那么12.9乘以5个单词等于
So 12.9 times by 5 words is
64.5比特 这其实已经很好了
64.5 bits which is pretty good actually.
这意味着一个黑客平均要进行
That means that on average an attacker is going to have to do
大约2的63次方到2的64次方次操作
about 2 to 63, 2 to just under 64 operations
来通过暴力破解猜出你的密码
to guess your password in brut-force.
操作次数相当的多
That’s quite a lot of operations.
尤其是他们还要通过执行哈希来做这个
Particularly given they’re going to have to perform some hash to do this.
好在我们知道
The nice thing about this password scheme is
这个密码方案的安全性 对吧
we know exactly how secure it is, right?
与之相对的是我们猜想
As opposed to we’re guessing that
这些单词并不只有我知道
the words aren’t just words I know.
某人可以利用社交工程得到那些单词
And someone can social engineer those words.
如果我们想要密码更加安全
And also if we want it to be more secure,
我们可以额外加单词
we can just add another word or another word.
随着计算能力的增强
As computational power goes up,
我们可以加更多单词
we just add more words.
我们可能只记得住小部分单词
And we can probably remember a few words,
如果密码太长的话
or if they get really long
就把它写下来放进钱包里
write them down and put it in our wallet.
不要搞丢了
Don’t lose it.
我想你也可以
I’m guessing as well
偷偷地变换空格对吧
you could potentially vary the whole spaces thing right?
是的 那么空格
Yeah. So the space
这些空格不是非常重要的
the spaces thing is not hugely important.
它存在的原因是因为
The reason it’s there is
有时候你可能不小心把两个单词连在了一起
because sometimes you might accidentally join two words together.
它们可能实际上变成了一个另外的单词
And they might actually be a different word on here,
这样一来密码就减少成4个单词了 对吧
in which case your search has gone down to four words, right?
所以你会发现
So if you’re being careful
这些其实单词完全不同
that these are all actually different words,
而且它们连接后不会变成另一个单词
and they don’t concatenate to make another word,
那就不需要空格
you don’t need the spaces.
或者你可以用一个不同的字符来代替空格
Or you could use a different character.
你也可以借鉴我的方法
You could also do what I did,
用更少的单词
and use fewer words,
放入一个随机的字符 对吧
and put a random character in, right?
现在网上有很多
Now on the website, he has plenty of ways of
掷骰子随机选择字符的方法
loading dice and also choosing random characters.
因为如果让我挑选一个符号的话
Because again, when I pick a symbol, it’s often
如你所知 通常是星星 ‘&’或者下划线
you know a star or an ampersand or an underscore.
那些并不是现有的所有符号
Those aren’t all the characters that exist.
所以挑选密码真的是一件很有趣很纠结的事情
So it’s a really interesting twist on picking passwords.
在几年前
This came about you know a few years ago now,
大家普遍使用4个单词的密码
where maybe a fork out a four word password was reasonable.
现在在某种程度上你无法想象
Now in some sense you can’t imagine that
大多数用户都在使用
seven or eight or nine word passwords are that feasible
7 8或9个单词的密码
for the majority of users.
这里面存在着一定的可用性和考虑
That there has to be some usability, considerations.
但是另一方面密码用5个单词也不错
But on the other hand five’s not too bad,
或者4个单词
or as I say 4.
但是他们对此做了一个惊喜的改变比如
But they make an unexpected alteration like an
在单词中任意的位置加入随机的符号
adding of a random symbol at a random position,
而不是在两个单词之间加入
not between the words. And that will
这么做明显增加了破解的时间
significantly increase the amount of time it would take to break.
你会对被动安全性失去理智
You can get too carried away like with passive security.
我有一半时间都是登录不了的
I have, and so half the time I can’t login
因为密码输错了
because I get my password wrong.
所以我已经…
And so I’ve been, but
但是你同样需要记住的是
the thing you also you have to remember is
这种密码方法远远超过了一个黑客
that this is way beyond a normal
进行正常暴力攻击的能力范围
brute-force attack by someone who’s just happens
他可能碰巧在pastebin找到你的哈希密码 对吧
to have found your password hash on pastebin. Right?
这就是当我们在讨论
This is when we when we’re talking
5或6个单词的密码的时候 我们是基于国家层面讨论的
about five or six word passwords where we’re talking about nation state level.
你肯定很好奇
And you’ve got to really wonder
他们是否真的在意你的私人密码
whether they really care about your individual password.
你可能仍然想要保证密码的安全
You might still want to secure it against them anyway.
这随便你
That’s that’s for you to decide.
但是他们可能会来访问你
But, they may just visit you instead.
我们会把一个网站链接
We’ll put a link to the website
放到简介中
in the description as well.
方便你浏览
So you can have a look through.
这里面几乎考虑了每一个可能的密码窃取角度
He’s considered almost every possible angle
那么当你加入符号的时候
for this so when do you add symbols,
需要多少单词来确保安全呢?
how many words is enough for the level of security you want?
看一下密码安全 这真的很有意思
It’s a really good interesting look into password security.
建议你去看一下
So I recommend you have a look.

发表评论

译制信息
视频概述

你的密码够安全吗

听录译者

收集自网络

翻译译者

Ayan

审核员

审核员 W

视频来源

https://www.youtube.com/watch?v=Pe_3cFuSw1E

相关推荐