linux 密码失效_密码即将失效

linux 密码失效

…or Will They?

…或者他们会吗？

Many of us have been frustrated or maybe even infuriated by passwords, one way or another. Have you?

我们中的许多人都对密码感到沮丧或恼怒，一种或另一种方式。 你有吗

It starts upon its creation. Coming up with a good password is hard. It needs to meet certain requirements. It should be complex, long-enough, not (related to) a real word, unique, and should not be able to be socially engineered. While this exercise is not easy in itself, most people can come up with passwords that meet all these requirements. All except for one, conflicting, requirement. A password should also be easy to remember. I bet most of you thought you would remember the newly created password, right?

它从创建开始。 想出一个好的密码很难。 它需要满足某些要求。 它应该是复杂的，足够长的，与真实单词无关(与真实单词无关)，唯一的，并且不应该能够进行社会工程。 尽管此练习本身并不容易，但是大多数人都可以想到满足所有这些要求的密码。 除了一个相互矛盾的要求以外的所有条件。 密码也应该容易记住。 我敢打赌你们大多数人都以为您会记住新创建的密码，对吗？

While it was very easy to remember a password twenty years back, there is a big chance you have difficulty remembering yours today. In this day and age password requirements are so complex, remembering a password feels almost as solving a Sudoku puzzle.

尽管二十年前记住一个密码非常容易，但是您今天很难记住一个很大的机会。 在当今时代，密码要求如此复杂，记住密码就像解决数独难题一样。

An additional factor that increases the difficulty is that these requirements also differ per application. Some require a special character (such as !+*@), some require a minimum or limit the maximum amount of characters you can use and some require a capital while others do not.

增加难度的另一个因素是，每个应用程序的这些要求也不同。 有些要求使用特殊字符(例如！+ * @)，有些要求使用的字符最少或限制最大，而有些则要求使用大写字母，而有些则不需要。

Not only that, we are required to remember more and more passwords. A survey taken in 2018 showed that over 42% of the people have more than 25 accounts, where the number of passwords people have to remember is averaging 191.

不仅如此，我们还需要记住越来越多的密码。 2018年进行的一项调查显示，超过42％的人拥有25个以上的账户，人们必须记住的密码平均为191个 。

With that said, it’s only natural that people are looking into ways to get rid of those troublesome things. Heck, there is even an official Petition Against Passwords movement. So it seems everyone is looking for alternatives. So what are these alternatives exactly?

话虽如此，人们自然会寻找摆脱那些麻烦事情的方法。 哎呀，甚至有一个正式的“反对密码请愿”运动。 因此，似乎每个人都在寻找替代方案。 那么这些替代品到底是什么？

“Remembering a password feels almost as solving a Sudoku puzzle”

“记住密码几乎就像解决数独难题一样”

Other knowledge factors

其他知识因素

A password is a form of knowledge, something you know. So to replace passwords, one could look to other types of knowledge factors. The most common ones are knowledge-based authentication, personal identification numbers (PIN) and passphrases.

密码是一种知识形式，您知道一些。 因此，要替换密码，可以考虑其他类型的知识因素。 最常见的是基于知识的身份验证 ， 个人识别码 (PIN)和密码短语 。

Knowledge-based authentication are the (secret) security questions you have to fill in upon registering, such as ‘what is the name of your favourite pet’ or ‘what is your mother’s maiden name’. If filled in correctly, these might be easy to remember, however, it is also very easy for cybercriminals to guess or social engineer the answers. With the amount of data available on social media, it is easier than you might think.

基于知识的身份验证是您注册时必须填写的(秘密)安全性问题，例如“您最喜欢的宠物的名字是什么”或“您母亲的娘家姓是什么”。 如果正确填写，这些内容可能会很容易记住，但是，对于网络犯罪分子来说，猜测或社交工程师的答案也非常容易。 借助社交媒体上可用的数据量，它比您想象的要容易。

Personal Identification Numbers (PIN) are numeric passwords, often four or five-digit long. It’s mostly applicable when you don’t have much time or room to enter a long or complex password e.g. POS terminals or ATMs. As a stand-alone knowledge factor, it does not have many benefits over a regular password due to its size, complexity, and resistance to social engineering.

个人识别码(PIN)是数字密码，通常为四位数或五位数。 当您没有太多时间或空间来输入较长或复杂的密码(例如POS终端或ATM)时，此方法最适用。 作为独立的知识因素，由于它的大小，复杂性和对社会工程学的抵制，与常规密码相比，它没有很多好处。

Passphrases are another form of knowledge that can be deployed as a replacement for passwords. While most passwords are short, passphrases tend to be long since they consist of a sequence of words. The strength of a knowledge factor lays mostly in its length. Longer is stronger. If these passphrases are unique enough (so not based upon quotes in books or other media) and not reused across applications and websites, they might be preferred over passwords. Too bad most applications are not suitable for passphrases since they require complex characters.

密码短语是另一种形式的知识，可以用来代替密码。 尽管大多数密码很短，但密码短语却往往很长，因为它们由一系列单词组成。 知识因素的优势主要在于其长度。 时间越长越强。 如果这些密码短语具有足够的唯一性(因此不基于书籍或其他媒体中的引文)并且不能在应用程序和网站之间重复使用，则它们可能比密码更受欢迎。 不幸的是，大多数应用程序不适合密码短语，因为它们需要复杂的字符。

Possession

拥有

Apart from knowledge-related factors, there is also a category of things that one possesses, sometimes described as ‘something you have’. These can, for example, be a smartcard, token or a certain psychical or digital key.

除了与知识相关的因素外，还拥有一类东西，有时被描述为“您拥有的东西”。 这些可以是例如智能卡，令牌或某些心理或数字密钥。

The advantage of something you have over something you know (e.g. password) is that it cannot be guessed, social engineered and does not need to be remembered by the user.

您所拥有的东西比您所知道的东西(例如密码)的优势在于，它无法被猜测，经过社会工程设计，并且不需要用户记住。

Disadvantages include loss of the possession factor, whether lost or stolen. A possession factor could also be broken (mistakenly or otherwise) or corrupted. Potentially a copy could be taken and used without the consent of a user. The potential biggest disadvantage is that the possession factor needs to be in close proximity to the user in order to use it. Whether it be digital or physical. When you don’t have access to it, you cannot use it.

不利之处包括财产丢失，无论是丢失还是被盗。 占有因子也可能被破坏(错误或其他原因)或损坏。 未经用户同意，可能会采取和使用副本。 潜在的最大缺点是，拥有因子需要紧邻用户才能使用。 无论是数字的还是物理的。 当您无权访问它时，您将无法使用它。

Inherence

固有

Knowledge and possession factors have their advantages and disadvantages. The same goes for the inherence factor. An inherence factor is something you are, so by default, it is something you cannot forget or, lose physically. It is also not easily copied since it is unique to an individual. Think of your fingerprint, iris or heartrate. With accelerometers and gyroscopic sensors even your gait, the way you hold your phone or sleep patterns could be used! Many new and upcoming tech companies are developing solutions in this domain.

知识和占有因素各有利弊。 固有因子也是如此。 固有因素就是您所拥有的东西，因此默认情况下，它是您不会忘记或物理损失的东西。 由于它是个人特有的，因此也不容易复制。 考虑一下您的指纹，虹膜或心率。 借助加速度计和陀螺仪传感器，即使您的步态也可以使用，您可以握住手机或睡眠方式！ 许多新兴的科技公司正在这一领域开发解决方案。

A major problem with inherence is that once it is compromised it is very hard to replace. Where a new password can be created in a blink of an eye and a card can be recreated, an inherence factor cannot be replaced. Another problem is that when an inherence factor is broken or corrupted, for example, if someone loses a hand or a finger, or maybe simpler: when it’s freezing, a fall-back is required. If not, the user might be locked out of his system.

固有性的一个主要问题是，一旦受到损害，很难替换。 眨眼间可以创建新密码并可以重新创建卡的地方，无法替换固有因素。 另一个问题是，当一个内在因素被破坏或破坏时，例如，某人失去了手或手指，或者可能更简单：当冻结时，需要回退。 如果不是，则用户可能被锁定在他的系统之外。

The difference between inherence and other factors might be obvious, there are also differences between static (e.g. fingerprint or face verification) and dynamic (e.g. gait or typing behaviour) inherence that are more subtle.

固有和其他因素之间的差异可能很明显，静态(例如指纹或面部验证)和动态(例如步态或打字行为)固有之间也存在较为细微的差异。

While static inherence rarely changes over time, dynamic inherence, can change over time. Another difference is that the outcome of a logon with a static inherence is binary, is either a success or fail (it’s your fingerprint or it is not), for dynamic inherence it is based on a range. The reason for this is that you cannot always walk or type exactly the same. They work with confidence levels. While static inherence is currently more popular, dynamic (behavioural) inherence is rising in popularity.

静态固有很少随时间变化，而动态固有可以随时间变化。 另一个区别是，具有静态固有性的登录结果是二进制的，是成功还是失败(是您的指纹还是不是)，而对于动态固有性，则基于范围。 这样做的原因是您不能总是走路或键入完全相同的文字。 他们的工作充满信心。 当前，静态继承越来越流行，而动态(行为)继承越来越流行。

“Knowledge and possession factors have their advantages and disadvantages. The same goes for the inherence factor”.

知识和占有因素各有利弊。 固有因子也是如此。

As you can see, pure one-on-one replacements for passwords that are better are hard to come by. Potential benefits always come with their own disadvantages and weaknesses. The leading assumption these days is that just using a single factor does not give you a high enough level of security. Combining factors, called 2FA or MFA (two or multi-factor authentication) is becoming the new normal.

如您所见，很难获得更好的纯一对一密码替换。 潜在的利益总是伴随着自身的劣势和劣势。 这些天的主要假设是，仅使用一个因素并不能为您提供足够高的安全级别。 组合因素称为2FA或MFA(两种或多种因素身份验证)正在成为新常态。

Will this make passwords obsolete? Probably not. If you look at the possible combinations you can make with the three factors, two of the three would require a knowledge factor. While the remaining one consists of inherence and would require a back-up possibility, to a password.

这会使密码过时吗？ 可能不是。 如果您查看可以使用这三个因素进行的可能组合，则三个因素中的两个将需要知识因素。 剩下的一个是继承关系，需要备份的可能性，要密码。

Another advantage to consider is, the use of passwords is cheap. For the end-user, there are no costs associated with its use. For organisations it is surely a lot less expensive than using possession and inherence factors.

要考虑的另一个优点是，使用密码便宜。 对于最终用户，没有使用费用。 对于组织而言，肯定比使用拥有和固有因素便宜得多。

Ok, but does this imply that we can’t get rid of passwords? Not entirely. To receive access to an account it requires a combination of a device, a person (or machine) and an authentication method. While the focus of the factors lay on the authentication method, it is entirely possible to use other personal or device attributes such as location, network, browsing history, device characteristics and more.

好的，但这是否意味着我们无法摆脱密码？ 不是完全。 要获得对帐户的访问权限，它需要设备，个人(或机器)和身份验证方法的组合。 尽管因素的重点放在身份验证方法上，但完全有可能使用其他个人或设备属性，例如位置，网络，浏览历史记录，设备特征等。

The question to consider is, do we want this? When do personal attributes become too personal? And are firms even allowed to use this data? With the ever-demanding privacy regulation, there is a line we can’t cross.

要考虑的问题是，我们要这个吗？ 什么时候个人属性变得过于个人化？ 甚至允许公司使用这些数据吗？ 借助日益严格的隐私法规，我们无法逾越一条界限。

“When do personal attributes become too personal?”

“什么时候个人特质变得太个人化？”

The demise of passwords has been anticipated and foretold but the use is only ever increasing, estimated to 300 billion in 2020. Sorry to the bringer of bad news, but I guess you just have to deal with those awful things.

密码的消亡是可以预见的并且是可预见的，但是密码的使用仅在不断增加，预计到2020年将达到3000亿 。 很抱歉给坏消息带来了麻烦，但是我想您只需要处理那些糟糕的事情。

Be safe!

注意安全！

翻译自: https://medium.com/swlh/passwords-will-soon-be-dead-a1256cf22b4a

linux 密码失效