還在用密碼和手勢鎖屏? 試試更安全的塗鴉吧大綱

That locking mechanism on your tablet computer or smartphone? It’s mostly a relic from the days of the keyboard. With the advent of touchscreens, the three-by-three grids and four-digit passcodes popular on today’s mobile devices are anachronistic. Yet they persist, despite “shoulder surfers” and the telltale oilsleft by swiping fingers.
眼下平板電腦或智能手機上的鎖屏程序可謂鍵盤時代的遺物。隨着觸摸屏的出現，如今移動設備上常用的“九宮格”式和四位密碼都過時了。然而，它們仍然在廣泛使用，儘管老有人站在別人身後偷窺，而用戶手指劃過屏幕時留下的油跡也會泄露密碼。

A new study from Rutgers University suggests that squiggling—yes, squiggling—on the screen of your tablet or smartphone may provide a better authentication mechanism than the standard pattern locks favored by Google’s GOOG 1.54% Android operating system and the Personal Identification Numbers (PINs) preferred by Apple’s AAPL -0.09% iOS.
美國羅格斯大學（Rutgers University）一項新研究表明，在平板電腦或智能手機上信手塗鴉可能是比谷歌（Google）安卓（ Android）操作系統所採用的標準模式鎖屏以及蘋果（Apple）所青睞的個人識別號碼（Personal Identification Numbers, PINs）更好的身份驗證機制。

“The current locking and authentication mechanisms available for mobile systems commercially do not work so well,” said Janne Lindqvist, an assistant professor of electrical and computer engineering at Rutgers University and an author of the study. “Instead of having old methods or cued methods, we let people just generate gestures without any kind of visual cue or other kind of instructions.”
研究報告的執筆人之一、羅格斯大學電氣和計算機工程助理教授珍妮o林奎斯特稱：“目前移動系統採用的商業化的鎖定和身份驗證機制不太好用。我們棄用給用戶提示的老方法，轉而讓用戶在屏幕上信手塗鴉，不存在任何視覺提示或其他類型的指示。”

The studies’ researchers, which included collaborators from the Max-Planck Institute for Informatics and the University of Helsinki, asked 63 participants to scrawl “continuous free-form multitouch gestures,” essentially finger-painting on the blank touchscreen canvas of a Google Nexus 10 tablet. No grid, no template: the subjects improvised a pass-doodle, rather than a password.
這項研究的研究人員包括來自馬普信息學研究所（the Max-Planck Institute for Informatics）以及赫爾辛基大學（the University of Helsinki）的合作者。他們請63位被試者以“連續不規則多點觸控手勢”信手塗鴉，本質上是以谷歌Nexus 10平板電腦的空白觸摸屏爲畫布，以手指爲筆作畫。沒有“九宮格”，也沒有模版，被試者即興創作的是“密畫”，而非密碼。

The researchers then asked users to recall and redraw their scribbles after a short break and a bit of distracting mental math (counting down from 20 to 0 and rotating a shape in their minds). Next, the researchers retested the users’ memory after a minimum of 10 days. (Six subjects didn’t return for the second test.)
隨後，研究人員要求被試者在短暫休息和令人分心的心算（從20倒數到0，同時想像一個圖形在自己腦海中轉動）後，回想並重復自己剛剛畫的手勢。然後，在至少10天之後，研究人員再次測試了被試者的記憶（有6名被試者未回來參加第二次測試。）

The trick—as with any good password—was to concoct a gesture complex enough to dupe spies yet simple enough to remember.
如同所有好的密碼一樣，手勢的關鍵在於複雜到能騙過窺視的人，但卻簡單好記。

“You never need to be perfect,” Lindqvist said on reproducing a gesture swipe-for-swipe. “You can make a bit of errors, but not too much. It depends a lot on the security policy you want to implement.”
關於手勢的正確性，林奎斯特解釋道：“你不必做到完美。你可以出一點錯，只要不太多。這很大程度上取決於你想要採取的安全策略。”

For instance, authentication for a mobile device might accept a higher error rate than one protecting a bank vault.
例如，手機身份驗證程序可接受的密碼錯誤率可能高於銀行保險櫃的安保系統。

To verify matches, the team used a “recognizer” algorithm, which compared each gesture to a set of stored templates. The algorithm then calculated an average score for each attempt at unlocking. Gestures whose scores rose above a certain threshold value were authorized entry.
爲了驗證手勢是否匹配，研究團隊採用了“模式識別”算法，將每個手勢與一套儲存的模版進行比對，同時計算出每次解鎖操作的平均分。分數高於特定閾值的解鎖操作就能獲准進入。

“You never can, in any case—with any kind of meaningfully complex gesture—repeat it exactly the same way,” Lindqvist said, noting that it takes at least three repetitions, or templates, for a gesture to become stable. (For improved accuracy, the study used 10 templates per participant.)
林奎斯特說：“無論如何，對於複雜的手勢，大家絕對不可能做到百分之百準確重現。”林奎斯特指出，至少需要三次重複或模板才能使手勢穩定。（爲了提高準確度，在研究中對每位被試者採用了10個模板。）

The researchers also used a flexible algorithm. Participants were able to draw anywhere on the device’s screen at whatever size and angle they wished, as long as the shape of the gesture was correct. Such flexibility may allow single gestures to adapt across platforms: for instance, on the larger screen of a tablet versus the smaller screen of a smartphone.
研究者還使用了一種適應性很強的算法。被試者們能夠在移動設備屏幕的任何地方、以任意角度畫出圖案，大小也可隨心所欲，只要手勢的形狀正確即可。這樣靈活的算法可以讓同一手勢跨平臺使用，例如大屏幕的平板和屏幕相對較小的智能手機能使用相同的手勢密碼。To measure each gesture’s level of security, the researchers imported a concept from Information Theory called “differential entropy.” This metric quantified the “information content,” or “surprisingness,” of a gesture. Generally, the most secure gestures were the most complex. Some of these looked like brambles, tumbleweeds or multi-faceted jewels.
爲了準確衡量每種手勢的安全性，研究人員引入了信息論中的“微分熵”概念。這個概念能量化手勢的“信息內容”或者說“多樣性”。一般來說，越複雜的手勢越安全，它們有些看着像荊棘、風滾草等植物，還有些看起來像是有很多面的珠寶。

On average the most memorable gestures were shorter and simpler than those best for security. Some of the most memorable ones included simple angular shapes, like triangles, and signatures.
通常，與最安全的手勢相比，那些最容易記住的手勢一般比較簡潔，其中包括簡單的圖案造型，例如三角形和簽名等。

The least-secure gestures consisted of gentle, looping circles.
而最不安全的手勢則要數單調循環的圓圈。

Another measure of security involved a “shoulder surfing” test. Six student volunteers independently watched videos of another student performing three representative gestures. These “attackers” were then asked to replicate each gesture.
另一種衡量安全性的方法是所謂的“背後偷窺”測試。方法是讓六名學生志願者獨自觀看一位學生演示三種典型手勢的視頻，然後憑記憶重複這些手勢。

The preliminary results were promising. “None of the attackers came even close to the gesture,” Lindqvist said.
初步測試的效果令人振奮。林奎斯特稱：“偷窺者們甚至都無法畫出相近的手勢。”

In fact, one attacker did nearly replicate one of the gestures—a backwards “N”—but did not come close enough for a “recognizer” to authenticate.
事實上，還是有一人幾乎畫出了其中一種手勢——一個倒寫的字母“N”，但相似度沒有達到系統“識別”通過的程度。

“Typing in a password seems to be an artifact of the past,” said Nasir Memon, professor of computer science and engineering at New York University, who was not involved in the study. “There is definitely a need to explore the alternatives.”
紐約大學（New York University）計算機科學與工程專業教授納西爾o梅蒙說：“輸入密碼已經過時了，我們亟需發掘替代方案。”梅蒙並沒有參與上面提到的研究。

Still, even with the aid of muscle memory, one must question how confusing a world of security gestures might become.
不過，即便有肌肉記憶輔助，我們也可能會被一大堆手勢密碼弄得不知所措。

“If you have three different gestures for three different accounts, how do you deal with that?” Memon asked.
梅蒙反問：“如果你的三個賬號有三個不同的手勢密碼，你怎麼區分？”

In future studies, Lindqvist said he plans to instruct participants in best practices for generating secure and memorable gestures. He also hopes to expand the shoulder-surfing test. “I think that this robust alternative and a better alternative than the current method, and looking forward to working on this more,” Lindqvist said.
林奎斯特表示，在未來的研究中，他計劃指導被試者，幫助他們掌握最佳的做法，獲得安全又好記的手勢。此外，他還希望擴展背後窺視測試。他說：“我認爲手勢密碼非常安全，比現有方案要好。我希望在這個領域繼續深入研究。”

If the new tactic’s promise holds, the future of password security may look less like a keyboard and more like finger-skating. For now, though, the billions of people around the world using mobile devices must stick with their PINs and patterns.
如果這種新方法靠譜，未來密碼安全可能不再靠鍵盤，而是靠信手塗鴉。不過，目前全球幾十億移動設備用戶只能用谷歌安卓系統的標準模式鎖屏和蘋果的個人識別號碼。

“It holds potential,” Memon said. “But we’re still a long way from it being seriously adopted.”
梅蒙說：“手勢密碼確實有潛力。但它要得到廣泛的採用還有很長的路要走。”