facebook营销密码
If you think the only correct version of your password is the exact capitalization and letter/symbol sequence you use, you may be in a shock. Facebook will accept slight variations of your password, for your convenience. And it’s perfectly safe.
如果您认为密码的唯一正确版本是所使用的确切大小写和字母/符号顺序,那么您可能会感到震惊。 为方便起见,Facebook会接受您的密码略有变化。 而且绝对安全。
密码容易输入错误 (Passwords Are Easy To Mistype)
Facebook and other sites like it have a problem. They’d like you to use long and complicated passwords, but those are hard to type. You should be using a password manager to take care of that for you, but most people don’t. And because of those two factors, it’s common to mistype your password.
Facebook和其他类似网站存在问题。 他们希望您使用冗长而复杂的密码,但是很难键入。 您应该使用密码管理器来为您解决该问题,但是大多数人却没有。 由于这两个因素,通常会输错密码。
At that point what should Facebook do?
那时,Facebook应该怎么做?
Should they deny you entry just because your password was slightly off, and frustrate you with a second attempt? Or should they recognize that the provided password was likely correct but with a typo and smooth your journey to cat gifs and baby pictures by ignoring the mistake?
他们是否应该仅因为您的密码略有误而拒绝您输入,并再次尝试使您感到沮丧? 还是他们应该认识到所提供的密码可能是正确的,但却带有错别字,并且通过忽略该错误来使您轻松获得GIF和婴儿图片的旅程?
Facebook评估密码错误 (Facebook Evaluates Mistakes in Passwords)
As Alec Muffet, a former software engineer for the security infrastructure team at Facebook Engineering in London explains, Facebook chose the latter. If your password is very close to correct, they may count it as accurate. The rules for this are straightforward. Facebook will accept an incorrect password if it meets any of these conditions:
正如伦敦Facebook Engineering的安全基础架构团队的前软件工程师Alec Muffet所说,Facebook选择了后者。 如果您的密码非常接近正确,他们可能会认为它是正确的。 规则很简单。 如果满足以下任何条件,Facebook将接受不正确的密码:
- You have caps lock turned on, and the capitalizations are reversed. 您打开了大写锁定,并且大小写相反。
- You enter an extra character at the beginning or end of a password 您在密码的开头或结尾输入一个额外的字符
- The first character of the password should be lowercase, but you typed it capitalized密码的第一个字符应为小写字母,但您将其大写
As you can see, these variations are all centered around the basic concept of slightly missing your password when typing. In some cases, this may be an issue of autocorrect, like the first letter of a word being capitalized. If your mistyped password meets these specific rules, you won’t know there was a problem—you’ll just find yourself logged in.
如您所见,所有这些变化都围绕着基本概念,即在键入密码时会稍微丢失您的密码。 在某些情况下,这可能是自动更正的问题,例如单词的首字母大写。 如果您输入错误的密码符合这些特定规则,您将不知道存在问题-您只会发现自己已登录。
For example, let’s say your password is “letMeIn.” Facebook will also accept “LETmEiN” (because that’s a straight-up caps lock reversal) and “LetMeIn” (because that’s incorrect capital for the first letter). It will also accept variations like “1letMeIn” and “letMeIn2” because those are correct except for an additional character at the beginning or end. However, it won’t accept “LETMEIN”, “letmein”, or “12LetMeIn” at all.
例如,假设您的密码是“ letMeIn”。 Facebook还将接受“ LETmEiN”(因为这是大写大写反转)和“ LetMeIn”(因为这是首字母的大写错误)。 它还将接受“ 1letMeIn”和“ letMeIn2”之类的变体,因为除了开头或结尾处的附加字符外,这些变体都是正确的。 但是,它将完全不接受“ LETMEIN”,“ letmein”或“ 12LetMeIn”。
此过程仍然安全 (This Process is Still Secure)
At first blush, Facebook’s password lenience sounds insecure. But in this case, the truth is more complicated. While it’s easy to think of old hacker crime dramas that showed quick brute force guessing at a password in mere minutes, hacking doesn’t work that way at all. Brute forcing unknown passwords does exist, but it’s very different than TV implies. As xkcd famously demonstrates, as the length of a password increases, the time to crack it also increases exponentially. Adding complexity helps, but not as much as you might think.
乍一看,Facebook的密码宽容听起来不安全。 但是在这种情况下,真相更加复杂。 尽管很容易想到仅在几分钟内就显示出对密码的快速蛮力猜测的古老的黑客犯罪剧情,但黑客根本无法做到这一点。 确实存在强行强制使用未知密码的情况,但这与电视暗示的有很大不同。 正如xkcd著名地演示的那样,随着密码长度的增加,破解它的时间也成倍增加。 增加复杂性会有所帮助,但并没有您想象的那么多。
So one of the scenarios that Facebook allows, an extra character at the beginning or the end of the password, would be even harder to brute force. Hackers would already need to have the correct password before they made it to the password plus an extra character.
因此,Facebook允许的一种情况(在密码的开头或结尾添加一个额外的字符)将变得更加难以暴力破解。 黑客在输入密码加上一个额外的字符之前,已经需要具有正确的密码。
Of particular interest is the caps lock scenario. I tested this by first manually typing my password into notepad, reversing the case, then pasting that result into Facebook. It denied that password. I then turned on caps lock and typed my password as though cap lock were off, thus reversing the case. That attempt was successful, and I was logged in. Facebook is not only checking what the password is but how you enter it. Brute Force won’t help in that scenario, short of simulating caps lock, which would be more difficult than just aiming for the actual password.
特别关注的是大写锁定方案。 我首先通过在记事本中手动输入密码,然后反转大小写,然后将结果粘贴到Facebook上来进行测试。 它拒绝了该密码。 然后,我打开了大写锁定,然后输入了我的密码,就好像大写锁定已关闭一样,因此情况与之相反。 那个尝试成功了,我已经登录了。Facebook不仅在检查密码是什么,而且在输入密码。 如果不模拟大写锁定,则蛮力攻击在这种情况下将无济于事,这比仅针对实际密码要困难得多。
Update: As information security consultant Paul Moore points out on Twitter, Facebook is mostly likely only storing your original password (properly hashed and salted) and not the variations of your password. When you submit a password to log in, it’s checked against your original password. If it doesn’t match, Facebook runs your submitted password through these variations. For instance, if your Caps Lock is on, Facebook takes your submitted password, reverses the capitalization of the letters, and tries again. If that doesn’t work, Facebook tries again with the next scenario. Essentially, Facebook is doing what you would have done upon getting a “wrong password” message—checking for an accidental error in the typed password and correcting it. That makes the entire process less frustrating for you. This doesn’t decrease security, because some idea of the correct password is still needed and the accepted variations are narrow.
更新:正如信息安全顾问Paul Moore在Twitter上指出的那样,Facebook通常很可能仅存储您的原始密码(正确地经过哈希处理和加盐处理),而不存储密码的变体。 当您提交密码登录时,将对照您的原始密码进行检查。 如果不匹配,Facebook将通过这些变体来运行您提交的密码。 例如,如果您的Caps Lock处于打开状态,则Facebook将使用您提交的密码,将字母的大小写取反,然后重试。 如果这不起作用,Facebook将在下一种情况下再次尝试。 本质上,Facebook会按照收到“错误密码”消息的方式进行操作,即检查键入的密码是否有意外错误并进行更正。 这使整个过程对您的困扰减少了。 这不会降低安全性,因为仍然需要正确密码的一些想法,并且可接受的范围很窄。
More importantly, brute force methods aren’t the primary method to gain access to social networks and other accounts. Social engineering and password dumps are much simpler to use. If you have password reset questions, there’s a decent chance at least some of the answers are publically accessible information. If your reset question is about your birthplace, mother’s maiden name, or high school mascot, then it’s possible to track the answer down. At that point, a bad-actor can reset your password, making any need to guess or determine the password itself entirely moot.
更重要的是,暴力破解方法并不是获取社交网络和其他帐户访问权限的主要方法。 社会工程和密码转储更易于使用。 如果您有密码重置问题,那么至少有一些答案是可以公开访问的信息,这很有可能。 如果您的重置问题是关于您的出生地,母亲的娘家姓或高中吉祥物,那么可以找到答案。 届时,行为不端的人可以重置您的密码,从而完全不必猜测或确定密码本身。
Unfortunately, many people are still using the same email and password combination at every site that requires login credentials. You don’t have to look far to find instance after instance of data breaches. If you’re using the same email and password combination at more than one place, and have been for years, then your passwords are the vulnerability, not Facebook’s policies.
不幸的是,许多人在每个需要登录凭据的站点上仍在使用相同的电子邮件和密码组合。 你不必花费很大力气就能找到实例后,实例的数据泄露。 如果您在多个地方使用相同的电子邮件和密码组合并且使用了多年,那么您的密码就是该漏洞,而不是Facebook的政策。
If you aren’t sure whether you’ve been the victim of a breach, go to haveibeenpwned.com and check to see if your password has been stolen. Chances are you’ve had at least some account compromised somewhere.
如果您不确定自己是否曾经是违规行为的受害者,请访问haveibeenpwned.com并检查密码是否被盗。 您有可能至少在某个地方盗用了一些帐户。
您应该始终确保自己的帐户安全 (You Should Always Secure Your Accounts)
If you’re still worried that this policy leaves you vulnerable, there are steps you can take. The first step is to stop using the same password for every site. Instead, get a password manager and let it generate unique long passwords for every different site you use. Then, the next time you see that a website you used has been compromised, you can change just that one password and feel safe knowing that this one known password won’t do the hackers any good.
如果您仍然担心此政策会使您容易受到攻击,则可以采取一些措施。 第一步是停止对每个站点使用相同的密码。 取而代之的是,获得一个密码管理器,让它为您使用的每个不同站点生成唯一的长密码。 然后,下次您看到您使用的网站遭到破坏时,您可以更改一个密码,并且可以放心地知道该密码不会对黑客有任何好处。
After you harden your passwords, turn on two-factor authentication at any site that offers it. Facebook does offer two-factor authentication, so you should set it up there as well. The best two-factor authentication relies on an app with your smartphone that generates a new code frequently or a physical key you keep with you. While SMS-based two-factor authentication is better than nothing, it’s still vulnerable to social engineering techniques. So if you can rely on an authenticator app or a physical key, you should. And have a backup in place in case something happens with your phone or key.
强化密码后,请在提供密码的任何站点上打开两因素身份验证。 Facebook确实提供了双重身份验证,因此您也应该在此处进行设置。 最好的两因素身份验证取决于智能手机上的应用程序,该应用程序会经常生成新代码或随身携带的物理密钥。 尽管基于SMS的两要素身份验证总比没有好,但它仍然容易受到社交工程技术的影响。 因此,如果您可以依靠身份验证器应用程序或物理密钥,则应该这样做。 并准备好备份,以防手机或钥匙发生故障。
With this combination, your account is far more secure regardless of Facebook’s password policies. You should at the very least use a password manager and unique passwords, but using those in combination with two-factor authentication is better.
通过这种组合,无论Facebook的密码策略如何,您的帐户都将更加安全。 您至少应该使用密码管理器和唯一密码,但是结合使用两因素身份验证会更好。
不要惊慌; 享受便利 (Don’t Panic; Enjoy the Convenience)
As for Facebook’s password policy, it’s easy to worry that it’s less secure, but the reality is the benefits outweigh the risks. Security is a balancing act. The more you lock down a system, the less convenient it is to access. But as you add more convenient access, you lose security. The trick is getting the right amounts of both to protect your users without frustrating them. Facebook erred on the side of user ease here, and that’s probably an acceptable decision.
至于Facebook的密码政策,人们很容易担心它的安全性较差,但现实是收益大于风险。 安全是一种平衡行为。 锁定系统的次数越多,访问它的便利性就越低。 但是,随着您添加更方便的访问权限,您将失去安全性。 诀窍是要获得适量的两者,以保护您的用户而不会使他们感到沮丧。 Facebook在这里为用户提供方便方面犯了错误,这可能是一个可以接受的决定。
翻译自: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
facebook营销密码
扫一扫
5075
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
