With online security, a business’ biggest vulnerability is weak passwords. No matter how robust your network is, if anyone gets access to your passwords they can steal personal and business data, infect your files or delete your entire website.
借助在线安全性,企业最大的漏洞就是密码薄弱。 无论您的网络多么强大,如果有人可以访问您的密码,他们就可以窃取个人和企业数据,感染您的文件或删除您的整个网站。
Even if you are diligent and follow good practice, modern password cracking techniques are so sophisticated that no business is immune. Improvements in password cracking technology have enabled hackers to find the right sequence of characters, even for complex passwords, in just a few hours.
即使您很勤奋并遵循良好的做法,现代密码破解技术也是如此复杂,以至于任何企业都无法幸免。 密码破解技术的改进使黑客能够在短短几个小时内找到正确的字符序列,即使是复杂的密码也是如此。
And new methods, using ‘dictionaries’ of frequently used character patterns found in previously hacked passwords now make this process even faster and easier to achieve.
现在,通过使用以前被黑客破解的密码中常用字符模式的“词典”,新方法使此过程变得更加快捷,容易实现。
So, how do you stay one step ahead of the hackers? In this article, we’ll explain how hackers continue to out manoeuvre password defences and what you will need to put in place to protect yourself.
那么,您如何保持领先于黑客的一步呢? 在本文中,我们将解释黑客如何继续进行密码防御,以及您需要采取哪些措施来保护自己。
Why short, complex passwords are no longer adequate
为什么短而复杂的密码不再足够
The advice most businesses follow is to create passwords of around 8-12 characters that contain a combination of lower and uppercase letters, numbers and symbols. However, there are problems with these.
大多数企业遵循的建议是创建大约8至12个字符的密码,其中包含大小写字母,数字和符号的组合。 但是,这些存在问题。
1. People forget them
1.人们忘记了他们
The human mind finds it very difficult to remember random strings of numbers and letters, especially when they contain capitals and lowercase characters and symbols. As a result, people get tired of being locked out and save the password somewhere it can be found. Easy pickings for a clever hacker.
人类的大脑发现很难记住数字和字母的随机字符串,尤其是当它们包含大写字母,小写字母和符号时。 结果,人们厌倦了被锁定并将密码保存在可以找到的地方。 轻松挑选聪明的黑客。
2. They are easy to crack
2.他们很容易破解
Using a network of high-powered computers and sophisticated software, hackers can make up to 350 billion attempts at finding a password every second. At that speed, a brute force attack can crack every single 8 character combination in less than 2 ½ hours. That’s over 3,000 trillion different combinations.
借助功能强大的计算机和复杂软件的网络,黑客每秒可以进行多达3500亿次尝试查找密码的尝试。 以这种速度,蛮力攻击可以在不到2½小时的时间内破解每个8个字符的组合。 超过3,000万亿个不同的组合。
As a defence against highly equipped and determined hackers, short, complex passwords are obsolete. If this is your current practice, you will need to make changes to your password management practices.
为了抵御装备精良和坚定的黑客,过时的,简短的复杂密码已被淘汰。 如果这是您当前的做法,则需要更改密码管理做法。
Unfortunately, even longer, complex passwords are vulnerable. This is due to the fact that, to help us remember them, we create ones which have meaning for us. Rather than use random combinations like [email protected]#24zP0 we prefer [email protected]=05-10 or iW0rkin$ale$d£pt.
不幸的是,更长的复杂密码容易受到攻击。 这是由于以下事实:为了帮助我们记住它们,我们创建了对我们有意义的东西。 与其使用[电子邮件保护] #24zP0之类的随机组合, 不如 [电子邮件保护] = 05-10或iW0rkin $ ale $ d£pt 。
It shows the sophistication of hackers, that they have analysed hundreds of millions of stolen passwords to produce ‘dictionaries’ of the most common strings of characters people use. They now have software that actively seeks these out and this has massively increased their ability to crack complex passwords quickly.
它表明了黑客的先进性,他们分析了数亿个被盗密码,以产生人们使用的最常见字符串的“字典”。 他们现在拥有积极寻找这些信息的软件,这大大提高了他们快速破解复杂密码的能力。
Why passphrases offer better protection
为什么密码短语可以提供更好的保护
To significantly reduce the chances of your password being cracked, it’s safer to use a passphrase than a password. Passphrases are strings of words combined together which, because they are longer, are more difficult to crack.
为了显着减少密码被破解的可能性,使用密码短语比使用密码更安全。 密码短语是组合在一起的单词字符串,由于它们较长,因此更难破解。
Here are our top tips for choosing a secure passphrase.
这是我们选择安全密码短语的重要提示。
1. Unrelated word sequence
1.不相关的词序
Using this method, you create a sequence of four or five unrelated words.
使用此方法,可以创建四个或五个不相关单词的序列。
It’s important that they are unrelated because if there is a connection, the hacker’s software will pick up on it. Do not use a well-known phrase, song lyrics or combinations like “shirt tie trousers jacket”. Instead, use random words, “vanilla flowerpot birthday engine”
这一点很重要,因为它们之间没有关联,因为如果存在连接,黑客的软件将在上面建立连接。 请勿使用众所周知的短语,歌曲歌词或“衬衫领带裤子外套”之类的组合 。 相反,请使用随机的词语“香草花盆生日引擎”
To make the passphrase more secure add capitals, numbers and symbols – but make sure you can remember them, for example:
为了使密码短语更安全,请添加大写字母,数字和符号-但是请确保您能记住它们,例如:
“vanilla flowerpot birthday engine”
“香草花盆生日引擎”
Becomes:
成为:
“(vanilla+flowerp0t)[email protected]=ENGINE!”
“(香草+ flowerp0t) [电子邮件保护] = ENGINE!”
2. Modified memorable phrase
2.修饰的难忘短语
The second method is to find a memorable sentence and adapt it in a way which only you understand. For example if your phrase was, “to boldly go where no man has gone before” you could do the following:
第二种方法是找到一个令人难忘的句子,并以只有您自己理解的方式对其进行修改。 例如,如果您的短语是“大胆地走到没有人去过的地方” ,则可以执行以下操作:
Remove vowels: tbldlygwhrnmnhsgnbfr
删除元音 : tbldlygwhrnmnhsgnbfr
Change words that sound like numbers into numbers: 2bldlygwhrnmnhsgnb4
将听起来像数字的单词改为数字 : 2bldlygwhrnmnhsgnb4
Change every 5th letter into a capital: 2bldlYgwhrNmnhsGnb4
将第5个字母改成大写 : 2bldlYgwhrNmnhsGnb4
Put the symbols above the numbers 1,2 and 3 on a keyboard after each capital: 2bldlY!gwhrN”mnhsG£nb4
在大写 字母 之后的键盘上,将符号1,2和3上方的符号放在键盘上 : 2bldlY!gwhrN” mnhsG£nb4
What you are left with is a highly complex passphrase for a hacker to crack but, for the user, it is a memorable phrase that has been adapted in a way which can be easy to remember – especially if they can remember the methods they used to create it.
剩下的是一个非常复杂的密码短语,可供黑客破解,但对于用户而言,这是一个令人难忘的短语,其经过改编后易于记忆,尤其是如果他们可以记住以前使用的方法时创造它。
Other examples of this method could be:
此方法的其他示例可能是:
My favourite food is chicken tikka masala and rice: [email protected]+r
我最喜欢的食物是鸡肉印度咖喱和大米: [电子邮件保护] + r
I love 8 Out of 10 Cats does Countdown: il8/[email protected]
我爱10只猫中有8只倒计时: il8 / [电子邮件保护]
I look like one of Santa’s elves: i[email protected]@s<(o,o)>s
我看起来像圣诞老人的精灵之一:我[电子邮件保护] @s <(o,o)> s
Passphrases pose a much greater challenge to hackers than passwords because their uniqueness means their strings won’t be found in any hacking dictionary and their length will take hacking software much longer to find the right character combination.
密码短语比密码给黑客带来了更大的挑战,因为密码的唯一性意味着在任何黑客字典中都找不到它们的字符串,并且其长度将使黑客软件花费更长的时间才能找到正确的字符组合。
However, that doesn’t mean they are invulnerable. As more companies begin to use passphrases, hackers will be forced to rise to the challenge and it will only be a matter of time before these, too, become much easier to crack.
但是,这并不意味着它们无敌。 随着越来越多的公司开始使用密码短语,黑客将被迫迎接挑战,而且这些密码变得更容易破解也只是时间问题。
Why long, complex passwords are the best option
为什么长而复杂的密码是最佳选择
The best option, by far, is to have very long and complex passwords made from random characters. This is because random characters make the use of cracking dictionaries redundant and significantly lengthening passwords massively increases the time and computational power needed to crack them.
到目前为止,最好的选择是使用由随机字符组成的非常长且复杂的密码。 这是因为随机字符使破解词典的使用变得多余,并且显着延长密码的数量大大增加了破解它们所需的时间和计算能力。
The downside, of course, is that these passwords are almost impossible to remember. There is, however, a very easy solution: the password manager.
不利的一面是,这些密码几乎不可能记住。 但是,有一个非常简单的解决方案:密码管理器。
Why password managers offer the best security
为什么密码管理器提供最佳安全性
The most secure method for protecting passwords that is currently available is to use a password manager. A password manager is an application that:
当前可用的最安全的密码保护方法是使用密码管理器。 密码管理器是一个应用程序,它可以:
Generates exceptionally strong passwords (30 – 50 random characters)
生成非常强大的密码 (30 – 50个随机字符)
Lets you create separate passwords for each user account you need to sign into
使您可以为需要登录的每个用户帐户创建单独的密码
Can be used on computers and mobile devices (and synced across them)
可以在计算机和移动设备上使用 (并在它们之间同步)
Encrypts your passwords and stores them in a secure database
加密密码并将其存储在安全的数据库中
Inputs the passwords for you so you do not need to remember them
为您输入密码,因此您无需记住它们
All you need to do is create and remember one passphrase, which is needed to access the password manager’s database. The password manager then automates the login for you.
您需要做的就是创建并记住一个密码短语,这是访问密码管理器数据库所必需的。 然后,密码管理器为您自动进行登录。
As your password manager stores all your passwords, it is essential that you do not forget the passphrase.
当您的密码管理器存储所有密码时,请务必不要忘记密码短语。
There are a variety of password managers available to download on the internet; some are free whilst others charge either for the software or an annual fee.
可以从Internet上下载各种密码管理器。 有些是免费的,而另一些则需要软件或年费。
Popular password managers include:
流行的密码管理器包括:
KeePass (Our current No 1 choice) 1Password LastPass Dashlane RoboForm
KeePass (我们当前的第一选择) 1Password LastPass Dashlane RoboForm
Additional tips for password security
密码安全性的其他提示
Here are some of our favorite tips for keeping our passwords secure:
以下是一些我们最喜欢的技巧,可确保密码安全:
1. Never use the same password for different accounts
1.切勿对不同的帐户使用相同的密码
Hackers know that many people use the same password on many different accounts. If they manage to crack your password on one account, one of the first things they will do is to try and access as many other accounts as they can – usually starting with your bank accounts.
黑客知道许多人在许多不同的帐户上使用相同的密码。 如果他们设法破解一个帐户的密码,他们要做的第一件事就是尝试访问尽可能多的其他帐户-通常从您的银行帐户开始。
2. Have a strong email password
2.拥有强大的电子邮件密码
For many accounts that you hold, in order to change your password, companies will ask for email verification. If a hacker gets hold of your email password they can lock you out of your email account and then, systematically, change passwords to all your other accounts too, as well as accessing all the sensitive information on your emails.
对于您拥有的许多帐户,为了更改密码,公司将要求您进行电子邮件验证。 如果黑客掌握了您的电子邮件密码,他们可以将您锁定在您的电子邮件帐户之外,然后系统地将密码更改为您所有其他帐户的密码,以及访问电子邮件中的所有敏感信息。
3. Never share your passwords
3.永远不要分享您的密码
Sharing passwords makes them vulnerable. You cannot guarantee that the device on which it has been used or the environment in which you are passing the information is secure. If you have shared your password, you should change it immediately.
共享密码使它们容易受到攻击。 您不能保证使用该设备的设备或传递信息的环境是安全的。 如果您已共享密码,则应立即更改它。
4. Never email anyone your password
4.永远不要通过电子邮件向任何人发送密码
Many people have a bad habit of leaving their email on show for everyone passing to see.
许多人有一个不好的习惯,让他们的电子邮件显示给所有路过的人。
If you have sent your password in an email to someone who does this, it becomes exceptionally vulnerable. With website administration, it is sometimes necessary to give someone access to the admin panel if you have an issue.
如果您已将密码通过电子邮件发送给执行此操作的人员,则该密码将特别容易受到攻击。 使用网站管理时,如果您遇到问题,有时有时需要授予某人访问管理面板的权限。
Rather than give your own password, set up a new temporary account and with restricted access if possible. If you have to send a password by email, make sure the email is encrypted or sent using an encryption service.
设置一个新的临时帐户,并尽可能设置受限的访问权限,而不是自己输入密码。 如果必须通过电子邮件发送密码,请确保电子邮件已加密或使用加密服务发送。
5. Don’t save passwords in a web browser
5.不要在网络浏览器中保存密码
Browsers don’t store the passwords securely. If your password appears as a row of dots in the input field, anyone can find the actual characters in less than a minute using the ‘Inspect Element’ tool.
浏览器不能安全地存储密码。 如果您的密码在输入字段中显示为一行点,那么任何人都可以在不到一分钟的时间内使用“检查元素”工具找到实际的字符。
6. Be safe on public computers
6.在公共计算机上安全
Never use the ‘Remember Me’ or ‘Save Password’ options on public computers.
切勿在公用计算机上使用“记住我”或“保存密码”选项。
This makes the password and account you logged into available for anyone else who uses the computer. You should also log out of any account and close all browsers when you are done.
这使您登录的密码和帐户对使用该计算机的其他任何人都可用。 完成后,您还应该注销任何帐户并关闭所有浏览器。
7. Be careful signing into WiFi hotspots
7.小心登录WiFi热点
Hackers have been known to set-up rogue free WiFi hotspots which require you to sign up to gain access – at which point they access your personal information.
众所周知,黑客会设置恶意的免费WiFi热点,这些热点需要您注册才能访问-此时他们将访问您的个人信息。
They also use ‘sniffer software’ to intercept your password when you sign into genuine hot spots via WiFi.
当您通过WiFi登录真正的热点时,他们还使用“嗅探器软件”来拦截您的密码。
8. Use two-factor authentication
8.使用两因素身份验证
If possible, use two-factor authentication to log in to an account. Two-factor authentication is where, besides using a username and password, you will be required to input a code into an app, telephone keypad or text message.
如果可能,请使用两因素身份验证登录到帐户。 两要素身份验证是在其中除了使用用户名和密码之外,还需要您在应用程序,电话键盘或文本消息中输入代码。
This level of security would mean a hacker would need to have access to your telephone as well as your password to break into your account. It makes it much more secure.
这种安全级别意味着黑客需要访问您的电话以及您的密码才能进入您的帐户。 它使它更加安全。
翻译自: https://www.eukhost.com/blog/webhosting/how-to-choose-a-secure-password/
扫一扫
2310
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
