Passwords have been a keystone of account security for 60 years, predating Unix by nearly a decade. Learn how to use either the command line or the GNOME desktop environment to manage your passwords in Linux.
密码已经60年来一直是帐户安全的基石,比Unix早了十年。 了解如何在Linux中使用命令行或GNOME桌面环境来管理密码。
如何选择一个强密码 (How to Choose a Strong Password)
The computer password was born from necessity. With the advent of multiuser time-sharing computer systems, the importance of separating and protecting people’s data became apparent, and the password solved that problem.
计算机密码是出于必要而产生的。 随着多用户分时计算机系统的出现,分离和保护人员数据的重要性变得显而易见,而密码解决了该问题。
Passwords are still the most common form of account authentication. Two-factor and multifactor authentication enhances password protection, and biometric authentication provides an alternative method of identification. However, the good old password is still with us and will be for a long time to come. This means you need to know how best to create and use them. Some of the older practices are no longer valid.
密码仍然是最常见的帐户身份验证形式。 两因素和多因素身份验证增强了密码保护,而生物特征身份验证则提供了另一种身份验证方法。 但是,好的旧密码仍在我们身边,并且将持续很长时间。 这意味着您需要知道如何最好地创建和使用它们。 一些较旧的做法不再有效。
Here are some basic password rules:
以下是一些基本密码规则:
Don’t use passwords at all: Use passphrases instead. Three or four unrelated words connected by punctuation, symbols, or numbers make it much harder to crack than a string of gobbledygook or a password with vowels swapped out for numbers.
完全不要使用密码:请改用密码短语。 通过标点符号,符号或数字连接的三个或四个不相关的单词,比一串乱码或用元音换成数字的密码更难破解。
Don’t re-use passwords: Don’t do this on the same or different systems.
不要重复使用密码:不要在相同或不同的系统上这样做。
Don’t share your passwords: Passwords are private. Don’t share them with others.
不要共享您的密码:密码是私人的。 不要与他人分享。
Don’t base passwords on personally significant information: Don’t use family members’ names, sports teams, favorite bands, or anything else that could be socially engineered or deduced from your social media.
密码不要以个人重要信息为基础:请勿使用家庭成员的姓名,运动队,喜爱的乐队或任何可以通过社交媒体设计或从您的社交媒体推论出的其他信息。
Don’t use pattern passwords: Don’t base passwords on patterns or positions of keys, such as qwerty, 1q2w3e, and so on.
不要使用模式密码:不要将密码基于键的模式或位置,例如qwerty,1q2w3e等。
Password expiration policies are no longer best practice. If you adopt strong, secure passphrases, you’ll only have to change them if you suspect they’ve been compromised. Regular password changes inadvertently promote poor password choices because many people use a base password and just add a date or digit to the end of it.
密码过期策略不再是最佳做法。 如果您采用强而安全的密码短语,则仅当怀疑它们受到破坏时才需要对其进行更改。 定期更改密码会无意间导致选择错误的密码,因为许多人使用基本密码,而只是在其末尾添加日期或数字。
The National Institute of Standards and Technology has written extensively on passwords and user identification and authentication. Their comments are publicly available in Special Publication 800-63-3: Digital Authentication Guidelines.
美国国家标准技术研究院已撰写了大量有关密码以及用户标识和认证的文章。 他们的评论可在Special Publication 800-63-3:Digital Authentication Guidelines中公开获得。
passwd文件 (The passwd File)
Historically, Unix-like operating systems stored passwords, along with other information regarding each account, in the “/etc/passwd” file. Today, the “/etc/passwd” file still holds account information, but the encrypted passwords are held in the “/etc/shadow” file, which has restricted access. By contrast, anyone can look at the “/etc/passwd” file.
从历史上看,类似Unix的操作系统将密码以及有关每个帐户的其他信息存储在“ / etc / passwd”文件中。 今天,“ / etc / passwd”文件仍然保留帐户信息,但是加密的密码保留在“ / etc / shadow”文件中,该文件具有受限制的访问权限。 相比之下,任何人都可以查看“ / etc / passwd”文件。
To peek inside the “/etc/passwd” file, type this command:
要查看“ / etc / passwd”文件,请输入以下命令:
less /etc/passwd
The contents of the file are displayed. Let’s look at the details for this account called “mary.”
显示文件内容。 让我们看看这个名为“玛丽”的帐户的详细信息。
Each line represents a single account (or a program that has a “user” account). There are the following seven colon-delimited fields:
每行代表一个帐户(或具有“用户”帐户的程序)。 有以下七个以冒号分隔的字段:
User name: The login name for the account.
用户名:帐户的登录名。
Password: An “x” indicates the password is stored in the /etc/shadow file.
密码:“ x”表示密码存储在/ etc / shadow文件中。
User ID: The user identifier for this account.
用户ID :此帐户的用户标识符。
Group ID: The group identifier for this account.
组ID :此帐户的组标识符。
GECOS: This stands for General Electric Comprehensive Operating Supervisor. Today, the GECOS field holds a set of comma-delimited information about an account. This can include items like a person’s full name, room number, or office and home phone numbers.
GECOS :代表通用电气综合运营主管。 如今, GECOS字段包含有关帐户的一组用逗号分隔的信息。 这可以包括一个人的全名,房间号或办公室和家庭电话号码。
Home: The path to the account’s home directory.
主目录:帐户主目录的路径。
Shell: Started when the person logs in to the computer.
Shell :当该人登录到计算机时开始。
Empty fields are represented by a colon.
空字段用冒号表示。
Incidentally, the finger
command pulls its information from the GECOS field.
顺便说一句, finger
命令从GECOS字段中提取其信息。
finger mary
影子文件 (The shadow File)
To look inside the “/etc/shadow” file, you must use sudo
:
要查看“ / etc / shadow”文件,必须使用sudo
:
sudo less /etc/shadow
The file is displayed. For every entry in the “/etc/passwd” file, there should be a matching entry in the “/etc/shadow” file.
显示文件。 对于“ / etc / passwd”文件中的每个条目,“ / etc / shadow”文件中都应该有一个匹配的条目。
Each line represents a single account, and there are nine colon-delimited fields:
每行代表一个帐户,并且有九个冒号分隔的字段:
User name: The login name for the account.
用户名:帐户的登录名。
Encrypted password: The encrypted password for the account.
加密密码:帐户的加密密码。
Last change: The date on which the password was last changed.
上次更改:上次更改密码的日期。
Minimum Days: The minimum number of days required between password changes. The person has to wait this number of days before he can change his password. If this field contains a zero, he can change his password as often as he likes.
最小天数:两次密码更改之间需要的最小天数。 此人必须等待此天数才能更改密码。 如果此字段包含零,则他可以随意更改自己的密码。
Maximum Days: The maximum number of days required between password changes. Typically, this field contains a very large number. The value set for “mary” is 99,999 days, which is over 27 years.
最长天数:两次密码更改之间需要的最大天数。 通常,此字段包含非常大的数字。 为“玛丽”设置的值是99,999天,超过27年。
Alert Days: The number of days in advance of a password expiration date to display a reminder message.
警报天数:密码过期日期之前的天数,以显示提醒消息。
Reset Lock-out: After a password expires, the system waits this number of days (a grace period) before it disables the account.
重置锁定:密码过期后,系统将等待此天数(宽限期),然后再禁用帐户。
Account expiration date: The date on which the owner of the account will no longer be able to log in. If this field is blank, the account never expires.
帐户到期日期:帐户所有者将无法再登录的日期。如果此字段为空,则该帐户永不过期。
Reserve field: A blank field for possible future use.
保留字段:一个空白字段,供将来使用。
Empty fields are represented by a colon.
空字段用冒号表示。
获取“最后更改”字段作为日期 (Getting the “Last change” Field as a Date)
The Unix epoch started on January 1, 1970. The value for the “Last change” field is 18,209. This is the number of days after January 1, 1970, the password for the account “mary” was changed.
Unix时代始于1970年1月1日。“ Last change”字段的值为18,209。 这是自1970年1月1日起,帐户“ mary”的密码已更改的天数。
Use this command to see the “Last change” value as a date:
使用此命令以查看“ Last change”值作为日期:
date -d "1970-01-01 18209 days"
The date is shown as midnight on the day the password was last changed. In this example, it was November 9, 2019.
日期显示为密码上次更改当天的午夜。 在此示例中,是2019年11月9日。
passwd命令 (The passwd Command)
You use the passwd
command to change your password, and—if you have sudo
privileges—the passwords of others.
您可以使用passwd
命令更改密码,如果使用sudo
特权,还可以使用其他密码。
To change your password, use the passwd
command with no parameters:
要更改密码,请使用不带参数的passwd
命令:
passwd
You must type your current password and your new one twice.
您必须输入当前密码和新密码两次。
更改其他人的密码 (Changing Someone Else’s Password)
To change the password of another account, you must use sudo
, and provide the name of the account:
要更改另一个帐户的密码,必须使用sudo
并提供该帐户的名称:
sudo passwd mary
You must type your password to verify you have superuser privileges. Type the new password for the account, and then type it again to confirm.
您必须输入密码以验证您具有超级用户特权。 键入该帐户的新密码,然后再次键入以确认。
强制更改密码 (Forcing a Password Change)
To force someone to change her password the next time she logs in, use the -e
(expire) option:
要强制某人下次登录时更改密码,请使用-e
(到期)选项:
sudo passwd -e mary
You’re told the password expiration date has been changed.
告知您密码的有效日期已更改。
When the owner of the account “mary” next logs in, she’ll have to change her password:
当帐户“ mary”的所有者接下来登录时,她将不得不更改密码:
锁定帐号 (Lock an Account)
To lock an account, type passwd
with the -l
(lock) option:
要锁定帐户,请使用-l
(锁定)选项输入passwd
:
sudo passwd -l mary
You’re told the password expiration date was changed.
告知您密码的有效期已更改。
The owner of the account will no longer be able to log in to the computer with her password. To unlock the account, use the -u
(unlock) option:
该帐户的所有者将无法再使用她的密码登录到计算机。 要解锁帐户,请使用-u
(解锁)选项:
sudo passwd -u mary
Again, you’re informed that the password expiry data was changed:
再次,您被告知密码有效期数据已更改:
Again, the owner of the account will no longer be able to log into the computer with her password. However, she could still log in with an authentication method that doesn’t require her password, such as SSH keys.
同样,该帐户的所有者将不再能够使用她的密码登录计算机。 但是,她仍然可以使用不需要密码(例如SSH密钥)的身份验证方法登录。
If you really want to lock someone out of the computer, you need to expire the account.
如果您确实想将某人锁定在计算机之外,则需要使该帐户过期。
打击命令 (The chage Command)
No, there isn’t an “n” in chage
. It stands for “change age.” You can use the chage
command to set an expiration date for an entire account.
不, chage
没有“ n”。 它代表“改变年龄”。 您可以使用chage
命令设置整个帐户的到期日期。
Let’s take a look at the current settings for the “mary” account, with the -l
(list) option:
让我们使用-l
(列表)选项来查看“ mary”帐户的当前设置:
sudo chage -l mary
The expiration date for the account is set to “never.”
该帐户的到期日期设置为“从不”。
To change the expiration date, use the -E
(expiry) option. If you set it to zero, this is interpreted as “zero days from the Unix epoch,” i.e., January 1, 1970.
要更改到期日期,请使用-E
(到期)选项。 如果将其设置为零,则将其解释为“从Unix时代开始的零天”,即1970年1月1日。
Type the following:
输入以下内容:
sudo chage -E0 mary
Recheck the account expiration date:
重新检查帐户的到期日期:
sudo chage -l mary
Because the expiration date is in the past, this account is now truly locked, regardless of any authentication method the owner might use.
由于过期日期是过去的,因此此帐户现在已真正锁定,无论所有者可能使用任何身份验证方法。
To reinstate the account, use the same command with -1 as the numerical parameter:
要恢复该帐户,请使用与数字参数-1相同的命令:
sudo chage -E -1 mary
Type the following to double-check:
输入以下内容进行仔细检查:
sudo chage -l mary
()
The account expiration date is reset to “never.”
帐户到期日期重设为“从不”。
在GNOME中更改帐户密码 (Changing an Account Password in GNOME)
Ubuntu and many other Linux distributions use GNOME as the default desktop environment. You can use the “Settings” dialog to change the password for an account.
Ubuntu和许多其他Linux发行版使用GNOME作为默认桌面环境。 您可以使用“设置”对话框更改帐户密码。
To do so, in the system menu, click the Settings icon.
为此,请在系统菜单中,单击“设置”图标。
In the Settings dialog, click “Details” in the pane on the left, and then click “Users.”
在“设置”对话框中,单击左侧窗格中的“详细信息”,然后单击“用户”。
Click the account for which you want to change the password; in this example, we’ll select “Mary Quinn.” Click the account, and then click “Unlock.”
单击您要更改密码的帐户; 在此示例中,我们将选择“玛丽·奎因”。 单击该帐户,然后单击“解锁”。
You’re prompted for your password. After you’re authenticated, “Mary’s” details become editable. Click the “Password” field.
系统提示您输入密码。 通过身份验证后,“玛丽的”详细信息即可编辑。 点击“密码”字段。
In the “Change Password” dialog, click the “Set a Password Now” radio button.
在“更改密码”对话框中,单击“立即设置密码”单选按钮。
Type the new password in the “New Password” and “Verify New Password” fields.
在“新密码”和“验证新密码”字段中输入新密码。
If the password entries match, the “Change” button turns green; click it to save the new password.
如果密码输入匹配,则“更改”按钮变为绿色;否则,按钮变为绿色。 单击它以保存新密码。
In other desktop environments, the account tools will be similar to those in GNOME.
在其他桌面环境中,帐户工具将类似于GNOME中的帐户工具。
保持安全,保持安全 (Stay Safe, Stay Secure)
For 60 years, the password has been an essential part of online account security, and it isn’t going away any time soon.
60年来,密码一直是在线帐户安全的重要组成部分,并且不会很快消失。
This is why it’s important to administer them wisely. If you understand the mechanisms of passwords in Linux and adopt the best password practices, you’ll keep your system secure.
这就是为什么明智地管理它们很重要的原因。 如果您了解Linux中的密码机制并采用最佳密码做法,则可以确保系统安全。
翻译自: https://www.howtogeek.com/447443/how-to-change-account-passwords-on-linux/