下載App 希平方
攻其不背
App 開放下載中
下載App 希平方
攻其不背
App 開放下載中
IE版本不足
您的瀏覽器停止支援了😢使用最新 Edge 瀏覽器或點選連結下載 Google Chrome 瀏覽器 前往下載

免費註冊
! 這組帳號已經註冊過了
Email 帳號
密碼請填入 6 位數以上密碼
已經有帳號了?
忘記密碼
! 這組帳號已經註冊過了
您的 Email
請輸入您註冊時填寫的 Email,
我們將會寄送設定新密碼的連結給您。
寄信了!請到信箱打開密碼連結信
密碼信已寄至
沒有收到信嗎?
如果您尚未收到信,請前往垃圾郵件查看,謝謝!

恭喜您註冊成功!

查看會員功能

註冊未完成

《HOPE English 希平方》服務條款關於個人資料收集與使用之規定

隱私權政策
上次更新日期:2014-12-30

希平方 為一英文學習平台,我們每天固定上傳優質且豐富的影片內容,讓您不但能以有趣的方式學習英文,還能增加內涵,豐富知識。我們非常注重您的隱私,以下說明為當您使用我們平台時,我們如何收集、使用、揭露、轉移及儲存你的資料。請您花一些時間熟讀我們的隱私權做法,我們歡迎您的任何疑問或意見,提供我們將產品、服務、內容、廣告做得更好。

本政策涵蓋的內容包括:希平方學英文 如何處理蒐集或收到的個人資料。
本隱私權保護政策只適用於: 希平方學英文 平台,不適用於非 希平方學英文 平台所有或控制的公司,也不適用於非 希平方學英文 僱用或管理之人。

個人資料的收集與使用
當您註冊 希平方學英文 平台時,我們會詢問您姓名、電子郵件、出生日期、職位、行業及個人興趣等資料。在您註冊完 希平方學英文 帳號並登入我們的服務後,我們就能辨認您的身分,讓您使用更完整的服務,或參加相關宣傳、優惠及贈獎活動。希平方學英文 也可能從商業夥伴或其他公司處取得您的個人資料,並將這些資料與 希平方學英文 所擁有的您的個人資料相結合。

我們所收集的個人資料, 將用於通知您有關 希平方學英文 最新產品公告、軟體更新,以及即將發生的事件,也可用以協助改進我們的服務。

我們也可能使用個人資料為內部用途。例如:稽核、資料分析、研究等,以改進 希平方公司 產品、服務及客戶溝通。

瀏覽資料的收集與使用
希平方學英文 自動接收並記錄您電腦和瀏覽器上的資料,包括 IP 位址、希平方學英文 cookie 中的資料、軟體和硬體屬性以及您瀏覽的網頁紀錄。

隱私權政策修訂
我們會不定時修正與變更《隱私權政策》,不會在未經您明確同意的情況下,縮減本《隱私權政策》賦予您的權利。隱私權政策變更時一律會在本頁發佈;如果屬於重大變更,我們會提供更明顯的通知 (包括某些服務會以電子郵件通知隱私權政策的變更)。我們還會將本《隱私權政策》的舊版加以封存,方便您回顧。

服務條款
歡迎您加入看 ”希平方學英文”
上次更新日期:2013-09-09

歡迎您加入看 ”希平方學英文”
感謝您使用我們的產品和服務(以下簡稱「本服務」),本服務是由 希平方學英文 所提供。
本服務條款訂立的目的,是為了保護會員以及所有使用者(以下稱會員)的權益,並構成會員與本服務提供者之間的契約,在使用者完成註冊手續前,應詳細閱讀本服務條款之全部條文,一旦您按下「註冊」按鈕,即表示您已知悉、並完全同意本服務條款的所有約定。如您是法律上之無行為能力人或限制行為能力人(如未滿二十歲之未成年人),則您在加入會員前,請將本服務條款交由您的法定代理人(如父母、輔助人或監護人)閱讀,並得到其同意,您才可註冊及使用 希平方學英文 所提供之會員服務。當您開始使用 希平方學英文 所提供之會員服務時,則表示您的法定代理人(如父母、輔助人或監護人)已經閱讀、了解並同意本服務條款。 我們可能會修改本條款或適用於本服務之任何額外條款,以(例如)反映法律之變更或本服務之變動。您應定期查閱本條款內容。這些條款如有修訂,我們會在本網頁發佈通知。變更不會回溯適用,並將於公布變更起十四天或更長時間後方始生效。不過,針對本服務新功能的變更,或基於法律理由而為之變更,將立即生效。如果您不同意本服務之修訂條款,則請停止使用該本服務。

第三人網站的連結 本服務或協力廠商可能會提供連結至其他網站或網路資源的連結。您可能會因此連結至其他業者經營的網站,但不表示希平方學英文與該等業者有任何關係。其他業者經營的網站均由各該業者自行負責,不屬希平方學英文控制及負責範圍之內。

兒童及青少年之保護 兒童及青少年上網已經成為無可避免之趨勢,使用網際網路獲取知識更可以培養子女的成熟度與競爭能力。然而網路上的確存有不適宜兒童及青少年接受的訊息,例如色情與暴力的訊息,兒童及青少年有可能因此受到心靈與肉體上的傷害。因此,為確保兒童及青少年使用網路的安全,並避免隱私權受到侵犯,家長(或監護人)應先檢閱各該網站是否有保護個人資料的「隱私權政策」,再決定是否同意提出相關的個人資料;並應持續叮嚀兒童及青少年不可洩漏自己或家人的任何資料(包括姓名、地址、電話、電子郵件信箱、照片、信用卡號等)給任何人。

為了維護 希平方學英文 網站安全,我們需要您的協助:

您承諾絕不為任何非法目的或以任何非法方式使用本服務,並承諾遵守中華民國相關法規及一切使用網際網路之國際慣例。您若係中華民國以外之使用者,並同意遵守所屬國家或地域之法令。您同意並保證不得利用本服務從事侵害他人權益或違法之行為,包括但不限於:
A. 侵害他人名譽、隱私權、營業秘密、商標權、著作權、專利權、其他智慧財產權及其他權利;
B. 違反依法律或契約所應負之保密義務;
C. 冒用他人名義使用本服務;
D. 上載、張貼、傳輸或散佈任何含有電腦病毒或任何對電腦軟、硬體產生中斷、破壞或限制功能之程式碼之資料;
E. 干擾或中斷本服務或伺服器或連結本服務之網路,或不遵守連結至本服務之相關需求、程序、政策或規則等,包括但不限於:使用任何設備、軟體或刻意規避看 希平方學英文 - 看 YouTube 學英文 之排除自動搜尋之標頭 (robot exclusion headers);

服務中斷或暫停
本公司將以合理之方式及技術,維護會員服務之正常運作,但有時仍會有無法預期的因素導致服務中斷或故障等現象,可能將造成您使用上的不便、資料喪失、錯誤、遭人篡改或其他經濟上損失等情形。建議您於使用本服務時宜自行採取防護措施。 希平方學英文 對於您因使用(或無法使用)本服務而造成的損害,除故意或重大過失外,不負任何賠償責任。

版權宣告
上次更新日期:2013-09-16

希平方學英文 內所有資料之著作權、所有權與智慧財產權,包括翻譯內容、程式與軟體均為 希平方學英文 所有,須經希平方學英文同意合法才得以使用。
希平方學英文歡迎你分享網站連結、單字、片語、佳句,使用時須標明出處,並遵守下列原則:

  • 禁止用於獲取個人或團體利益,或從事未經 希平方學英文 事前授權的商業行為
  • 禁止用於政黨或政治宣傳,或暗示有支持某位候選人
  • 禁止用於非希平方學英文認可的產品或政策建議
  • 禁止公佈或傳送任何誹謗、侮辱、具威脅性、攻擊性、不雅、猥褻、不實、色情、暴力、違反公共秩序或善良風俗或其他不法之文字、圖片或任何形式的檔案
  • 禁止侵害或毀損希平方學英文或他人名譽、隱私權、營業秘密、商標權、著作權、專利權、其他智慧財產權及其他權利、違反法律或契約所應付支保密義務
  • 嚴禁謊稱希平方學英文辦公室、職員、代理人或發言人的言論背書,或作為募款的用途

網站連結
歡迎您分享 希平方學英文 網站連結,與您的朋友一起學習英文。

抱歉傳送失敗!

不明原因問題造成傳送失敗,請儘速與我們聯繫!
希平方 x ICRT

「Lorrie Faith Cranor:你的密碼出了什麼問題?」- What's wrong with your pa$$w0rd?

觀看次數:3110  • 

框選或點兩下字幕可以直接查字典喔!

I am a computer science and engineering professor here at Carnegie Mellon, and my research focuses on usable privacy and security, and so my friends like to give me examples of their frustrations with computing systems, especially frustrations related to unusable privacy and security. Excuse me.

So passwords are something that I hear a lot about. A lot of people are frustrated with passwords, and it's bad enough when you have to have one really good password that you can remember but nobody else is going to be able to guess. But what do you do when you have accounts on a hundred different systems and you're supposed to have a unique password for each of these systems? It's tough.

At Carnegie Mellon, they used to make it actually pretty easy for us to remember our passwords. The password requirement up through 2009 was just that you had to have a password with at least one character. Pretty easy. But then they changed things, and at the end of 2009, they announced that we were going to have a new policy, and this new policy required passwords that were at least eight characters long, with an uppercase letter, lowercase letter, a digit, a symbol, you couldn't use the same character more than three times, and it wasn't allowed to be in a dictionary.

Now, when they implemented this new policy, a lot of people, my colleagues and friends, came up to me and they said, "Wow, now that's really unusable. Why are they doing this to us, and why didn't you stop them?" And I said, "Well, you know what? They didn't ask me."

But I got curious, and I decided to go talk to the people in charge of our computer systems and find out what led them to introduce this new policy, and they said that the university had joined a consortium of universities, and one of the requirements of membership was that we had to have stronger passwords that complied with some new requirements, and these requirements were that our passwords had to have a lot of entropy. Now entropy is a complicated term, but basically it measures the strength of passwords. But the thing is, there isn't actually a standard measure of entropy. Now, the National Institute of Standards and Technology has a set of guidelines which have some rules of thumb for measuring entropy, but they don't have anything too specific, and the reason that they only have rules of thumb is it turns out they don't actually have any good data on passwords. In fact, their report states, "Unfortunately, we do not have much data on the passwords users choose under particular rules. NIST would like to obtain more data on the passwords users actually choose, but system administrators are understandably reluctant to reveal password data to others."

So this is a problem, but our research group looked at it as an opportunity. We said, "Well, there's a need for good password data. Maybe we can collect some good password data and actually advance the state of the art here."

So the first thing we did is, we got a bag of candy bars and we walked around campus and talked to students, faculty and staff, and asked them for information about their passwords. Now we didn't say, "Give us your password." No, we just asked them about their password. How long is it? Does it have a digit? Does it have a symbol? And were you annoyed at having to create a new one last week? So we got results from 470 students, faculty and staff, and indeed we confirmed that the new policy was very annoying, but we also found that people said they felt more secure with these new passwords. We found that most people knew they were not supposed to write their password down, and only 13 percent of them did, but disturbingly, 80 percent of people said they were reusing their password. Now, this is actually more dangerous than writing your password down, because it makes you much more susceptible to attackers. So if you have to, write your passwords down, but don't reuse them. We also found some interesting things about the symbols people use in passwords. So CMU allows 32 possible symbols, but as you can see, there's only a small number that most people are using, so we're not actually getting very much strength from the symbols in our passwords.

So this was a really interesting study, and now we had data from 470 people, but in the scheme of things, that's really not very much password data, and so we looked around to see where could we find additional password data. So it turns out there are a lot of people going around stealing passwords, and they often go and post these passwords on the Internet. So we were able to get access to some of these stolen password sets. This is still not really ideal for research, though, because it's not entirely clear where all of these passwords came from, or exactly what policies were in effect when people created these passwords. So we wanted to find some better source of data. So we decided that one thing we could do is we could do a study and have people actually create passwords for our study. So we used a service called Amazon Mechanical Turk, and this is a service where you can post a small job online that takes a minute, a few minutes, an hour, and pay people, a penny, ten cents, a few dollars, to do a task for you, and then you pay them through Amazon.com. So we paid people about 50 cents to create a password following our rules and answering a survey, and then we paid them again to come back two days later and log in using their password and answering another survey. So we did this, and we collected 5,000 passwords, and we gave people a bunch of different policies to create passwords with. So some people had a pretty easy policy, we call it Basic8, and here the only rule was that your password had to have at least eight characters. Then some people had a much harder policy, and this was very similar to the CMU policy, that it had to have eight characters including uppercase, lowercase, digit, symbol, and pass a dictionary check. And one of the other policies we tried, and there were a whole bunch more, but one of the ones we tried was called Basic16, and the only requirement here was that your password had to have at least 16 characters.

All right, so now we had 5,000 passwords, and so we had much more detailed information. Again we see that there's only a small number of symbols that people are actually using in their passwords. We also wanted to get an idea of how strong the passwords were that people were creating, but as you may recall, there isn't a good measure of password strength. So what we decided to do was to see how long it would take to crack these passwords using the best cracking tools that the bad guys are using, or that we could find information about in the research literature.

So to give you an idea of how bad guys go about cracking passwords, they will steal a password file that will have all of the passwords in kind of a scrambled form, called a hash, and so what they'll do is they'll make a guess as to what a password is, run it through a hashing function, and see whether it matches the passwords they have on their stolen password list. So a dumb attacker will try every password in order. They'll start with AAAAA and move on to AAAAB, and this is going to take a really long time before they get any passwords that people are really likely to actually have. A smart attacker, on the other hand, does something much more clever. They look at the passwords that are known to be popular from these stolen password sets, and they guess those first. So they're going to start by guessing "password," and then they'll guess "I love you," and "monkey," and "12345678," because these are the passwords that are most likely for people to have. In fact, some of you probably have these passwords.

So what we found by running all of these 5,000 passwords we collected through these tests to see how strong they were, we found that the long passwords were actually pretty strong, and the complex passwords were pretty strong too. However, when we looked at the survey data, we saw that people were really frustrated by the very complex passwords, and the long passwords were a lot more usable, and in some cases, they were actually even stronger than the complex passwords. So this suggests that, instead of telling people that they need to put all these symbols and numbers and crazy things into their passwords, we might be better off just telling people to have long passwords. Now here's the problem, though: Some people had long passwords that actually weren't very strong. You can make long passwords that are still the sort of thing that an attacker could easily guess. So we need to do more than just say long passwords. There has to be some additional requirements, and some of our ongoing research is looking at what additional requirements we should add to make for stronger passwords that also are going to be easy for people to remember and type.

Another approach to getting people to have stronger passwords is to use a password meter. Here are some examples. You may have seen these on the Internet when you were creating passwords. We decided to do a study to find out whether these password meters actually work. Do they actually help people have stronger passwords, and if so, which ones are better? So we tested password meters that were different sizes, shapes, colors, different words next to them, and we even tested one that was a dancing bunny. As you type a better password, the bunny dances faster and faster. So this was pretty fun.

What we found was that password meters do work. Most of the password meters were actually effective, and the dancing bunny was very effective too, but the password meters that were the most effective were the ones that made you work harder before they gave you that thumbs up and said you were doing a good job, and in fact we found that most of the password meters on the Internet today are too soft. They tell you you're doing a good job too early, and if they would just wait a little bit before giving you that positive feedback, you probably would have better passwords.

Now another approach to better passwords, perhaps, is to use pass phrases instead of passwords. So this was an xkcd cartoon from a couple of years ago, and the cartoonist suggests that we should all use pass phrases, and if you look at the second row of this cartoon, you can see the cartoonist is suggesting that the pass phrase "correct horse battery staple" would be a very strong pass phrase and something really easy to remember. He says, in fact, you've already remembered it. And so we decided to do a research study to find out whether this was true or not. In fact, everybody who I talk to, who I mention I'm doing password research, they point out this cartoon. "Oh, have you seen it? That xkcd. Correct horse battery staple." So we did the research study to see what would actually happen.

So in our study, we used Mechanical Turk again, and we had the computer pick the random words in the pass phrase. Now the reason we did this is that humans are not very good at picking random words. If we asked a human to do it, they would pick things that were not very random. So we tried a few different conditions. In one condition, the computer picked from a dictionary of the very common words in the English language, and so you'd get pass phrases like "try there three come." And we looked at that, and we said, "Well, that doesn't really seem very memorable." So then we tried picking words that came from specific parts of speech, so how about noun-verb-adjective-noun. That comes up with something that's sort of sentence-like. So you can get a pass phrase like "plan builds sure power" or "end determines red drug." And these seemed a little bit more memorable, and maybe people would like those a little bit better. We wanted to compare them with passwords, and so we had the computer pick random passwords, and these were nice and short, but as you can see, they don't really look very memorable. And then we decided to try something called a pronounceable password. So here the computer picks random syllables and puts them together so you have something sort of pronounceable, like "tufritvi" and "vadasabi." That one kind of rolls off your tongue. So these were random passwords that were generated by our computer.

So what we found in this study was that, surprisingly, pass phrases were not actually all that good. People were not really better at remembering the pass phrases than these random passwords, and because the pass phrases are longer, they took longer to type and people made more errors while typing them in. So it's not really a clear win for pass phrases. Sorry, all of you xkcd fans. On the other hand, we did find that pronounceable passwords worked surprisingly well, and so we actually are doing some more research to see if we can make that approach work even better. So one of the problems with some of the studies that we've done is that because they're all done using Mechanical Turk, these are not people's real passwords. They're the passwords that they created or the computer created for them for our study. And we wanted to know whether people would actually behave the same way with their real passwords.

So we talked to the information security office at Carnegie Mellon and asked them if we could have everybody's real passwords. Not surprisingly, they were a little bit reluctant to share them with us, but we were actually able to work out a system with them where they put all of the real passwords for 25,000 CMU students, faculty and staff, into a locked computer in a locked room, not connected to the Internet, and they ran code on it that we wrote to analyze these passwords. They audited our code. They ran the code. And so we never actually saw anybody's password.

We got some interesting results, and those of you Tepper students in the back will be very interested in this. So we found that the passwords created by people affiliated with the school of computer science were actually 1.8 times stronger than those affiliated with the business school. We have lots of other really interesting demographic information as well. The other interesting thing that we found is that when we compared the Carnegie Mellon passwords to the Mechanical Turk-generated passwords, there was actually a lot of similarities, and so this helped validate our research method and show that actually, collecting passwords using these Mechanical Turk studies is actually a valid way to study passwords. So that was good news.

Okay, I want to close by talking about some insights I gained while on sabbatical last year in the Carnegie Mellon art school. One of the things that I did is I made a number of quilts, and I made this quilt here. It's called "Security Blanket." And this quilt has the 1,000 most frequent passwords stolen from the RockYou website. And the size of the passwords is proportional to how frequently they appeared in the stolen dataset. And what I did is I created this word cloud, and I went through all 1,000 words, and I categorized them into loose thematic categories. And it was, in some cases, it was kind of difficult to figure out what category they should be in, and then I color-coded them.

So here are some examples of the difficulty. So "justin." Is that the name of the user, their boyfriend, their son? Maybe they're a Justin Bieber fan. Or "princess." Is that a nickname? Are they Disney princess fans? Or maybe that's the name of their cat. "Iloveyou" appears many times in many different languages. There's a lot of love in these passwords. If you look carefully, you'll see there's also some profanity, but it was really interesting to me to see that there's a lot more love than hate in these passwords. And there are animals, a lot of animals, and "monkey" is the most common animal and the 14th most popular password overall. And this was really curious to me, and I wondered, "Why are monkeys so popular?" And so in our last password study, any time we detected somebody creating a password with the word "monkey" in it, we asked them why they had a monkey in their password. And what we found out—we found 17 people so far, I think, who have the word "monkey"—we found out about a third of them said they have a pet named "monkey" or a friend whose nickname is "monkey," and about a third of them said that they just like monkeys and monkeys are really cute. And that guy is really cute.

So it seems that at the end of the day, when we make passwords, we either make something that's really easy to type, a common pattern, or things that remind us of the word password or the account that we've created the password for, or whatever. Or we think about things that make us happy, and we create our password based on things that make us happy. And while this makes typing and remembering your password more fun, it also makes it a lot easier to guess your password. So I know a lot of these TED Talks are inspirational and they make you think about nice, happy things, but when you're creating your password, try to think about something else.

Thank you.

播放本句

登入使用學習功能

使用Email登入

HOPE English 播放器使用小提示

  • 功能簡介

    單句重覆、重複上一句、重複下一句:以句子為單位重覆播放,單句重覆鍵顯示綠色時為重覆播放狀態;顯示白色時為正常播放狀態。按重複上一句、重複下一句時就會自動重覆播放該句。
    收錄佳句:點擊可增減想收藏的句子。

    中、英文字幕開關:中、英文字幕按鍵為綠色為開啟,灰色為關閉。鼓勵大家搞懂每一句的內容以後,關上字幕聽聽看,會發現自己好像在聽中文說故事一樣,會很有成就感喔!
    收錄單字:框選英文單字可以收藏不會的單字。
  • 分享
    如果您有收錄很優秀的句子時,可以分享佳句給大家,一同看佳句學英文!