1. Gabatarwa & Bayanan Baya

Duk da bincike na shekaru da yawa akan hanyoyin tantancewa dabam, kalmar sirri ta rubutu ta ci gaba da zama babbar hanyar tantancewa don ayyukan kan layi saboda ƙarancin farashi, sauƙin aiwatarwa, da sanin mai amfani. Duk da haka, kalmar sirri tana fama da raunin tsaro da aka rubuta sosai, musamman daga "abu na ɗan adam." Masu amfani suna fama da ƙirƙira da tunawa da ƙaƙƙarfan kalmar sirri ta musamman don asusun da yawa, wanda ke haifar da yawaitar sake amfani da kalmar sirri da ƙirƙirar kalmar sirri mai rauni.

Ana yawan ba da shawarar manajoji na kalmar sirri (misali, LastPass, 1Password) a matsayin mafita ta fasaha ga waɗannan matsalolin. Suna alkawarin adana takaddun shaida cikin aminci, cika fom ɗin shiga ta atomatik, da samar da ƙaƙƙarfan kalmar sirri ta bazuwar. Duk da haka, kafin wannan binciken, an yi ƙarancin babban shaida na ainihi a cikin yanayi akan ko manajoji na kalmar sirri suna cika alkawarinsu na inganta tsaron kalmar sirri da rage sake amfani a cikin yanayin amfani na ainihi.

Wannan binciken ya magance wannan gibi ta hanyar samar da cikakken bincike na farko wanda ke sa ido kai tsaye da nazarin tasirin manajoji na kalmar sirri akan ayyukan kalmar sirri na ainihi na masu amfani.

2. Hanyar Bincike

Binciken ya yi amfani da hanyar haɗaɗɗun hanyoyi tare da haɗa babban bincike tare da sa ido a cikin yanayi ta hanyar plugin na burauza na al'ada don ɗaukar halayen kalmar sirri na ainihi.

2.1 Tattara Mahalarta & Tattara Bayanai

An fara tattara mahalarta ta hanyar bincike kan layi mai mai da hankali kan ƙirƙira da sarrafa kalmar sirri, wanda ya jawo mahalarta 476. Daga cikin wannan taron, mahalarta 170 sun amince da mataki na biyu mai kutsawa: shigar da plugin na burauza don sa ido mara aiki. Wannan tsari mai matakai biyu ya tabbatar da cewa an tattara bayanai daga masu amfani masu himma waɗanda hanyoyin shigar kalmar sirri na ainihi (cika ta atomatik ta manaja da shigar da hannu) za a iya yin rajista daidai tare da kalmar sirri da kansu.

2.2 Sa ido na Plugin na Burauza

Wani ci gaba mai mahimmanci na hanyar bincike fiye da aikin da ya gabata shine haɓaka plugin na burauza wanda bai kama ma'auni ko ma'auni na kalmar sirri kawai ba, har ma ya sanya alama a kowane abin da ya faru na shigar kalmar sirri da hanyar shigarwa:

  • Cika ta atomatik ta manajan kalmar sirri
  • Buga da hannu ta mai amfani
  • Manna daga allon manna

Wannan bambance-bambance yana da mahimmanci don danganta halayen kalmar sirri (ƙarfi, musamman) ga tasirin manajan da halayen ɗan adam.

2.3 Ƙirar Bincike & Nazari

Binciken ya tattara bayanai kan bayanan al'umma na mahalarta, halayen tsaro na gaba ɗaya, dabarun sarrafa kalmar sirri da suka bayar da kansu, da nau'ikan manajoji na kalmar sirri da aka yi amfani da su (misali, haɗe-haɗe na burauza, mai tsayawa tare/ba tare da janareta ba). An haɗa waɗannan bayanan inganci tare da bayanan ƙididdiga na plugin don gina cikakken hoto na abubuwan da ke tasiri.

Jimillar Mahalartan Bincike

476

Mahalartan Sa ido na Plugin

170

Tambayoyin Bincike Masu Muhimmanci

2

3. Babban Abubuwan Gano & Sakamako

Nazarin bayanan da aka tattara ya samar da gano abubuwa da yawa masu mahimmanci waɗanda ke ƙididdige tasirin ainihi na manajoji na kalmar sirri.

3.1 Nazarin Ƙarfin Kalmar Sirri

Kalmar sirri da manajoji na kalmar sirri suka shigar ko suka samar, a matsakaita, sun fi ƙarfi sosai fiye da waɗanda masu amfani suka ƙirƙira kuma suka shigar da hannu. An auna ƙarfi ta amfani da ma'auni na tushen ƙarfin bazuwa da juriya ga hare-haren ƙarfi. Duk da haka, wani mahimmin bambanci ya bayyana: wannan fa'ida ta fi bayyana ga manajoji waɗanda suka haɗa da fasalin samar da kalmar sirri. Manajoji waɗanda ke aiki kawai a matsayin rumbun ajiya sau da yawa suna ɗauke da raunin kalmar sirri da mai amfani ya ƙirƙira, suna ba da ɗan ingantaccen tsaro.

3.2 Tsarin Sake Amfani da Kalmar Sirri

Binciken ya gano cewa manajoji na kalmar sirri suna rage sake amfani da kalmar sirri, amma ba gaba ɗaya ba. Masu amfani waɗanda suka yi amfani da manajan sosai don samarwa da adana kalmar sirri ta musamman ga kowane rukunin yanar gizo sun nuna ƙananan adadin sake amfani. Akasin haka, masu amfani waɗanda suka yi amfani da manajoji kawai a matsayin ajiya mai sauƙi don kalmar sirri da suka ƙirƙira da kansu sun ci gaba da nuna yawan sake amfani a cikin sabis daban-daban. Aikin manajan don haka yana daidaitawa, ba kawar da matsalar sake amfani ba.

3.3 Kwatancen Shigar da Manaja da na Mutum

Ta hanyar rarraba hanyoyin shigarwa, binciken zai iya kwatanta sakamako kai tsaye:

  • Manaja ya Samar & Cika ta atomatik: Mafi girman ƙarfi, mafi girman musamman.
  • Mai amfani ya Ƙirƙira & Manaja ya Ajiye/Cika ta atomatik: Matsakaicin ƙarfi, musamman mai canzawa (ya dogara da dabarun mai amfani).
  • Mai amfani ya Ƙirƙira & Shigar da Hannu: Mafi ƙarancin ƙarfi, mafi yawan sake amfani.

Wannan rarrabuwa ya nuna cewa kasancewar manajan kawai ba shi da mahimmanci fiye da yadda ake amfani da shi.

Babban Fahimta

  • Manajoji na kalmar sirri tare da janareta suna inganta ƙarfin kalmar sirri da musamman sosai.
  • Manajoji ba tare da janareta ba sau da yawa suna aiki a matsayin masu ba da damar adana raunin kalmar sirri, sake amfani da kalmar sirri.
  • Dabarun mai amfani da amfani da fasalin janareta sune manyan abubuwan da ke ƙayyade fa'idar tsaro.
  • "Abu na ɗan adam" ya ci gaba da zama tsakiya; fasaha kadai ba zai iya tabbatar da tsaro ba tare da amfani da shi da kyau ba.

4. Nazarin Fasaha & Tsarin Aiki

4.1 Ma'auni na Kalmar Sirri & Tsarin Lissafi

Binciken ya yi amfani da ma'auni na al'ada na ɓoyayyen rubutu don kimanta ƙarfin kalmar sirri. Ma'auni na farko shine ƙarfin zato, wanda ke kimanta matsakaicin adadin zato da ake buƙata don mafi kyawun hari.

Ƙarfin bazuwa $H$ na kalmar sirri daga tushe $X$ tare da rarraba yuwuwar $P(x)$ ana bayar da shi ta: $$H(X) = -\sum_{x \in X} P(x) \log_2 P(x)$$ Don kalmar sirri da aka samar da bazuwar mai tsayi $L$ daga saitin haruffa mai girman $C$, ƙarfin bazuwa yana sauƙaƙa zuwa: $$H = L \cdot \log_2(C)$$ An yi amfani da wannan tsarin lissafi don kwatanta kalmar sirri da manaja ya samar (babban $C$, bazuwar $P(x)$) da kalmar sirri da mai amfani ya ƙirƙira (ƙananan tasiri $C$, nuna son $P(x)$).

4.2 Misalin Tsarin Nazari

Nazarin Hali: Kimanta Abin da ya faru na Shigar Kalmar Sirri

Yanayi: An yi rajista da abin da ya faru na shiga don `social-network.example.com` ta plugin.

  1. Ɗaukar Bayanai: Plugin ya yi rikodin: `{url: "social-network.example.com", entry_method: "auto_fill", password_hash: "abc123...", timestamp: "..."}`.
  2. Rarraba Hanyar: An sanya alama `entry_method` a matsayin `auto_fill`, yana nuna amfani da manajan kalmar sirri.
  3. Lissafin Ƙarfi: An lissafta ƙarfin bazuwa na kalmar sirri. Idan yana da kirtani na bazuwar kamar `k8&!pL9@qW2`, ƙarfin bazuwa yana da girma (~80 bits). Idan yana da `Summer2024!`, ana lissafin ƙarfin bazuwa bisa ga tsarin da ake iya tsinkaya, wanda ke haifar da ƙarancin ƙarfin bazuwa mai tasiri (~40 bits).
  4. Binciken Musamman: Tsarin yana bincika ko hash `abc123...` ya bayyana a cikin bayanan don kowane yanki na ɗaya mai amfani. Idan a'a, an sanya alama a matsayin an sake amfani da shi.
  5. Sanya Alama: An sanya alamar kalmar sirri mai ƙarfin bazuwa, ta musamman ga tasiri mai kyau na manajan kalmar sirri tare da janareta. Kalmar sirri mai ƙarancin ƙarfin bazuwa, an sake amfani da ita an sanya alama ga manajan da aka yi amfani da shi kawai a matsayin ajiya don munanan halayen mai amfani.

5. Sakamakon Gwaji & Jaridu

An nuna sakamakon a bayyane don bambanta tasirin dabarun sarrafa kalmar sirri daban-daban.

Jadawali 1: Ƙarfin Kalmar Sirri (Ƙarfin Bazuwa) ta Hanyar Shigarwa
Jadawali na sanduna zai nuna gungu guda uku daban-daban: 1) Kalmar sirri Manaja ya Samar/Cika ta atomatik suna da matsakaicin ƙarfin bazuwa mafi girma. 2) Kalmar sirri Mai amfani ya Ƙirƙira/Manaja ya Ajiye suna nuna matsakaicin ƙarfin bazuwa. 3) Kalmar sirri Mai amfani ya Ƙirƙira/Buga da Hannu suna da mafi ƙarancin ƙarfin bazuwa. Tazarar tsakanin gungu 1 da gungu 3 yana da girma, yana tabbatar da fa'idar ƙarfi ta amfani da manajan da kyau.

Jadawali 2: Adadin Sake Amfani da Kalmar Sirri ta Dabarun Mai Amfani
Jadawali na sanduna da aka haɗa zai kwatanta masu amfani. Ɗaya rukuni, "Masu Amfani da Janareta Mai Aiki," yana nuna ƙananan kashi na asusun da aka sake amfani da kalmar sirri (misali, <10%). Wani rukuni, "Masu Amfani da Ajiya Maras Aiki," yana nuna babban adadin sake amfani, sau da yawa kwatankwacin ko ma ya wuce na masu amfani waɗanda ba sa amfani da manaja kwata-kwata (misali, >50%). Wannan jadawali yana jaddada fa'idar manajoji na sharadi.

6. Nazari Mai Mahimmanci & Hangen Masana'antu

Babban Fahimta: Masana'antar tsaro tana sayar da manajoji na kalmar sirri a matsayin harsashi na azurfa sama da shekaru goma. Wannan binciken shine bincike na gaskiya mai mahimmanci: kayan aikin yana da tasiri kamar yadda aikin da yake ba da damar yin shi. Manajoji tare da janareta da aka haɗa suna da ƙarfi sosai don ƙarfafa tsaro; waɗanda ba tare da su ba sau da yawa kawai allunan datti na dijital don munanan kalmar sirri, suna iya haifar da tunanin tsaro na ƙarya. Bambanci na ainihi ba software ba ne—shi ne ko yana canza halayen mai amfani daga ƙirƙira/ajiya zuwa wakilci/samarda.

Tsarin Ma'ana: Ma'anar binciken ba ta da aibi. Maimakon dogaro da bincike ko nazarin dakin gwaje-gwaje, ya tafi kai tsaye ga tushe: ainihin abubuwan da suka faru na shigar kalmar sirri a cikin daji. Ta hanyar sanya alamar hanyar shigarwa, ya yanke hazo na alaƙa/dalili wanda ya addabi aikin da ya gabata. Gano cewa manajoji ba tare da janareta ba na iya "ƙara matsalolin da ke akwai" shine ƙarshe na ma'ana na wannan hanyar—idan ka sauƙaƙa adana da amfani da raunin kalmar sirri, kana iya ƙara amfani da shi.

Ƙarfi & Aibobi: Babban ƙarfi shine tsaurin hanyarsa—sa ido a cikin yanayi shine ma'auni na zinariya don binciken tsaro na hali, kama da hanyoyin lura na yanayi waɗanda ƙungiyoyi kamar Cibiyar Ƙididdiga da Fasaha ta Ƙasa (NIST) suka ba da gudummawa a cikin Jagororin Asalin Dijital. Wani aibi, wanda marubutan suka yarda da shi, shine son zuciya na mahalarta: masu amfani da plugin 170 sun fi kowa wayewa game da tsaro fiye da matsakaicin jama'a, wanda zai iya ƙara yawan tasirin manajoji mai kyau. Binciken kuma bai bincika sosai dalilin da yasa masu amfani ke guje wa janareta ba—shin rashin amincewa, rikitarwa, ko rashin sani?

Fahimta Mai Aiki: Ga manajojin samfura a kamfanoni kamar 1Password ko Dashlane, umarni a bayyane yake: sanya janareta ya zama tafarki na farko na ƙarancin juriya, wanda ba za a iya gujewa ba. Ba da shawarar ƙaƙƙarfan kalmar sirri ta atomatik a kowane sabon rajista. Ga shugabannin tsaro na IT, ma'anar manufofin shine tilasta ko samar da kawai manajoji na kalmar sirri tare da iyawar samarwa da aka tabbatar. Ga masu bincike, gaba gaba shine haɗa waɗannan abubuwan da aka gano tare da wasu nau'ikan tantancewa. Kamar yadda CycleGAN ya nuna canja wurin salo tsakanin yankunan hoto, bincike na gaba zai iya bincika "canja wurin halayen tsaro," ta amfani da mataimakan masu hankali don tura masu amfani daga dabarun kalmar sirri masu rauni zuwa ƙaƙƙarfan kalmar sirri ba tare da matsala ba. Zamanin tallata manajoji na kalmar sirri a matsayin nau'i na gaba ɗaya ya ƙare; dole ne a mai da hankali ga tallata takamaiman halaye, na samarwa.

7. Aikace-aikace na Gaba & Hanyoyin Bincike

Wannan binciken ya buɗe hanyoyi da yawa don aikin gaba da haɓaka aikace-aikace:

  • Samar da Kalmar Sirri Mai Hankali, Mai Sanin Yanayi: Manajoji na gaba za su iya samar da kalmar sirri waɗanda ke daidaita ƙarfi tare da takamaiman buƙatu da tarihin karyewa na rukunin yanar gizon da aka yi niyya, mai yuwuwar amfani da makin haɗari daga bayanan kamar Have I Been Pwned.
  • Ƙaura Ba tare da Matsala ba & Fuskar Ƙirƙirar Halaye: Haɓaka kayan aikin da ke nazarin ainihin rumbun kalmar sirri na mai amfani, gano raunin kalmar sirri da takaddun shaida da aka sake amfani da su, da kuma jagorantar su ta hanyar tsarin maye gurbinsu mataki-mataki tare da kalmar sirri da aka samar.
  • Haɗawa tare da Kalmar Sirri Ba & Tantancewa Mai Factor Da Yawa (MFA): Bincike kan yadda manajoji na kalmar sirri za su iya zama gada zuwa gaskiyar makomar kalmar sirri ba (misali, FIDO2/WebAuthn) ta hanyar sarrafa maɓallan shiga da kuma zama factor na biyu, kamar yadda aka ba da shawara a cikin tsarin daga ma'auni na ISO/IEC.
  • Nazari na Tsawon Lokaci & Tsakanin Al'adu: Faɗaɗa wannan hanyar a cikin yanayi zuwa ga jama'a mafi girma, mafi bambanta a cikin tsawon lokaci don fahimtar yadda halayen sarrafa kalmar sirri ke haɓaka da bambanta a cikin al'adu.
  • Binciken Tsaro na Manaja: Yin amfani da ƙa'idodin sa ido iri ɗaya don bincika tsaro da ayyukan sirri na ƙari na manajan kalmar sirri da kansu, wanda ke zama damuwa mai girma a cikin sarkar wadata.

8. Nassoshi

  1. Lyastani, S. G., Schilling, M., Fahl, S., Bugiel, S., & Backes, M. (Shekara). Nazarin Tasirin Manajoji akan Ƙarfin Kalmar Sirri da Sake Amfani. [Sunan Taro/Mujalla].
  2. Florêncio, D., & Herley, C. (2007). Babban bincike kan halayen kalmar sirri na yanar gizo. A cikin Proceedings of the 16th international conference on World Wide Web.
  3. Das, A., Bonneau, J., Caesar, M., Borisov, N., & Wang, X. (2014). Guntun yanar gizon sake amfani da kalmar sirri. A cikin NDSS.
  4. Cibiyar Ƙididdiga da Fasaha ta Ƙasa (NIST). (2017). Jagororin Asalin Dijital (SP 800-63B).
  5. Zhu, J., Park, T., Isola, P., & Efros, A. A. (2017). Fassarar hoto zuwa hoto mara haɗin gwiwa ta amfani da hanyoyin sadarwar adawa na zagayowar daidaito. A cikin Proceedings of the IEEE international conference on computer vision (shafi na 2223-2232).
  6. Ur, B., et al. (2016). Ƙira da kimanta ma'aunin kalmar sirri mai tattara bayanai. A cikin Proceedings of the CHI Conference on Human Factors in Computing Systems.
  7. Ƙungiyar Ƙididdiga ta Duniya (ISO). ISO/IEC 27001:2022 Tsaron bayanai, tsaron yanar gizo da kariyar sirri.