黑客喜欢攻击哪些网站_黑客为何喜欢用户帐户，以及他们如何对其进行黑客攻击...

黑客喜欢攻击哪些网站

User accounts are still the number one target for criminals. This is why they are so desirable and how hackers hack user accounts every day.

用户帐户仍然是罪犯的头号目标。 这就是为什么它们如此受欢迎，以及黑客每天如何黑客用户帐户的原因。

When we think of cyber attacks we often think of scenes resembling those from Hollywood movies. Cybercriminals, slouched over a keyboard, furiously typing, and hunting for vulnerabilities in a piece of software exposed to the internet.

当我们想到网络攻击时，我们经常会想到类似于好莱坞电影中的场景。 网络犯罪分子在键盘上闲逛，疯狂地打字，并在暴露于互联网的软件中寻找漏洞。

Security vendors leverage this perception in their marketing efforts. I still find it amazing how much fear selling takes place from companies like Tenable, Rapid7, and Qualys, to name a few. Granted, they’re selling software designed to detect known vulnerabilities in other pieces of software, but they exploit the common perception that the sky is falling and that hackers are seconds away from compromising your IT systems.

安全供应商在市场营销工作中利用了这种看法。 我仍然感到惊奇的是，诸如Tenable ， Rapid7和Qualys之类的公司发生了多少恐惧出售。 诚然，他们出售的软件旨在检测其他软件中的已知漏洞，但他们利用这样的普遍看法，即天塌下来，黑客距离威胁您的IT系统几秒钟。

In reality, most of the cybercrime committed today is done through legitimate user accounts. Real user accounts belonging to real people which have been taken over by hackers with criminal intent. Why is this the case?

实际上，当今实施的大多数网络犯罪都是通过合法的用户帐户完成的。 属于真实人物的真实用户帐户已被黑客出于犯罪意图所接管。 为什么会这样呢？

黑客很容易。 黑客软件很难 (Hacking People is Easy. Hacking Software is Hard)

People are vulnerable by design. Human nature makes us susceptible to being hacked in any number of ways.

人们容易受到设计的伤害。 人性使我们容易受到多种方式的攻击。

When we use software and computer systems we typically login using a unique username and password that identifies us, proves that we are who we say we are (authentication), and confirms that we’re permitted to do what we’re asking to do (authorization). When a hacker logs in with our user account they instantly get access to do all of the things we are allowed to do.

当我们使用软件和计算机系统时，我们通常使用唯一的用户名和密码登录，该用户名和密码可以识别我们，证明我们是我们所说的(身份验证)，并确认我们被允许执行我们要求做的事情(授权)。 当黑客使用我们的用户帐户登录时，他们会立即获得执行我们被允许做的所有事情的权限。

Software, on the other hand, can be very difficult to manipulate. Even once you’ve found a vulnerability and created an exploit to gain access to something you shouldn’t, you still need to figure out a way to make it do what you want. This is a very time consuming and expensive process. The question hackers ask themselves all the time is ‘why would I waste all of that effort hacking into a computer system when I could just log in as a legitimate user instead?’

另一方面，软件可能很难操作。 即使您发现了漏洞并创建了漏洞利用程序来访问不该访问的内容，您仍然需要找出一种使它能够执行您想要的操作的方法。 这是非常耗时且昂贵的过程。 黑客一直问自己的问题是：“当我可以以合法用户身份登录时，为什么我会浪费所有精力来入侵计算机系统？”

This is why user accounts are such a big target. The right account in the wrong hands can move millions of dollars between banks in a few minutes. Trying to do the same thing with a software exploit could take months or even years and isn’t always possible.

这就是为什么用户帐户如此大的目标。 错误的正确帐户可以在几分钟之内在银行之间转移数百万美元。 用软件漏洞尝试做同样的事情可能要花费数月甚至数年，而且并不总是可能的。

黑客窃取用户帐户的三种方式 (Three Ways Hackers Steal Your User Accounts)

1.猜密码 (1. Guessing Your Password)

The first way for hackers to break into one or more of your user accounts is to simply guess your password.

黑客入侵您的一个或多个用户帐户的第一种方法是简单地猜测您的密码。

The top 10 passwords for 2019, based on publicly known password breaches, are:

根据公知的密码泄露事件， 2019年排名前10位的密码为 ：

1. 123456
   123456
2. 123456789
   123456789
3. qwerty
   qwerty
4. password
   密码
5. 1234567
   1234567
6. 12345678
   12345678
7. 12345
   12345
8. iloveyou
   我爱你
9. 111111
   111111
10. 123123
    123123

Based on these passwords it is a reasonable assumption to state that most of these have been created on mobile devices. The top 10 passwords have changed over the last decade from common words to common number patterns as the ubiquity of smartphones has steadily increased.

根据这些密码，可以合理地说出大多数密码是在移动设备上创建的。 在过去的十年中，随着智能手机的普及，前十个密码已从常用词更改为常用数字模式。

Do you use any of these passwords for any of your accounts? Do you have anything similar?

您是否对任何帐户都使用了这些密码？ 你有类似的东西吗？

For anyone not using one of the most commonly used passwords, with a little research into an individual it is easy to guess other password formats that people use. Combinations of the following make up the vast majority of the passwords in use today: names of partners, children, pets, football teams, cities, countries, dates of birth, seasons, years, and colours.

对于任何不使用最常用密码之一的人，只要对个人进行一点研究，就很容易猜出人们使用的其他密码格式。 以下内容的组合构成了当今使用的绝大多数密码：伴侣，孩子，宠物，橄榄球队，城市，国家，出生日期，季节，年龄和颜色的名称。

I’ve cracked a lot of passwords in my career and I’ve analyzed 1.4 billion clear-text passwords to improve my understanding of how people think about password creation. With a good enough wordlist, you don’t even need to find a Facebook page to guess most people’s passwords.

在我的职业生涯中，我破解了很多密码，并且分析了14亿个明文密码，以加深我对人们对密码创建方式的理解。 有了足够好的单词列表，您甚至无需寻找Facebook页面即可猜测大多数人的密码。

2.在其他人的数据泄露中找到密码 (2. Finding Your Password In Someone Else’s Data Breach)

As mentioned in the previous point, there’s a publicly available list of 1.4 billion usernames and passwords on the internet for anyone to download. That’s just one list out of many out there. Every day, additional websites are hacked and new username and password combinations are leaked to buyers on the black market.

如前所述，互联网上存在可供公众下载的14亿个用户名和密码的公开列表。 那只是那里众多列表中的一个。 每天都有其他网站遭到黑客攻击，新的用户名和密码组合会泄露给黑市上的购买者。

Just as your web browser offers to remember and fill in your passwords for you, there’s a password completing browser extension that criminals can use to makes life easier for them when taking advantage of your stolen passwords.

就像您的网络浏览器可以为您记住并填写密码一样，有一个密码完成浏览器扩展程序 ，犯罪分子可以利用该扩展程序 ，在利用您被盗的密码时使他们的生活更轻松。

3.询问您的密码(然后您将密码交给他们！) (3. Asking You For Your Password (And You Giving It To Them!))

Phishing is an attack where criminals send you an email or SMS text message pretending to be someone else. Typically a company, organisation, friend, or some authority figure that would convince you to do as they say. The message will contain a link to a website asking you to log in, or it could include an attachment. The attachment will then take you to a website, again asking you to log in, or it will run something harmful on your device which could allow it to steal your personal data, including passwords.

网络钓鱼是一种攻击，犯罪分子会向您发送电子邮件或SMS短信，假装是其他人。 通常情况下，一个公司，组织，朋友或某些权威人物会说服您按照他们所说的去做。 该消息将包含一个要求您登录的网站链接，或者可能包含附件。 然后，该附件会将您带到一个网站，再次要求您登录，否则它将在您的设备上运行有害的内容，从而可能使其窃取您的个人数据(包括密码)。

Linking to a login form is the most common. It’s surprising how many people still fall for phishing emails today, but phishing emails are often well written and designed specifically to invoke an emotional response in the reader. Emotions overpower logic and reason. People do strange things in a panic.

链接到登录表单是最常见的。 令人惊讶的是，今天仍然有很多人喜欢网络钓鱼电子邮件，但是网络钓鱼电子邮件通常写得很好，并且经过专门设计，可以引起读者的情绪React 。 情绪压倒逻辑和理由。 人们惊慌地做奇怪的事情。

我们该怎么做反击？ (What Can We Do To Fight Back?)

Here are a few things we can do to defend against password theft.

我们可以采取一些措施来防止密码被盗。

使用多重身份验证 (Use Multi-Factor Authentication)

Multi-Factor Authentication, or MFA for short, is the use of something in addition to your password to prove that you are who you say you are. In order for multi-factor you need to use a combination of two or more of the following:

多重身份验证(简称MFA)是在使用密码之外的某种方式来证明您的身份。 为了获得多重因素，您需要使用以下两个或多个的组合：

• Something you know (your password)
  您所知道的(您的密码)
• Something you have (your smartphone)
  您拥有的东西(您的智能手机)
• Something you are (your fingerprint)
  您的身份(您的指纹)

Smartphone apps or SMS text messages are the most commonly used form of the second factor. While it is possible to bypass MFA protected logins that use SMS messages, it takes a lot more effort and involves contacting your mobile phone provider and convincing them that you’ve lost your phone. Without a second authentication factor, as soon as someone has your password, they’re in and your account has been hacked.

智能手机应用程序或SMS短信是第二个因素中最常用的形式。 虽然可以绕过使用SMS消息的受MFA保护的登录名 ，但是这需要花费更多的精力，并且需要联系您的手机提供商并说服您丢失了手机。 没有第二个身份验证因素，只要有人输入您的密码，他们就会进入您的帐户，并且您的帐户已被黑。

使用强密码 (Use Strong Passwords)

The stronger your password is, the harder it is to guess. Google recommends:

密码越强，猜测就越困难。 Google建议 ：

“Long passwords are stronger, so make your password at least 8 characters long. These tips can help you create longer passwords that are easier to remember. Try to use:

“长密码会更强，因此密码长度至少应为8个字符。 这些提示可以帮助您创建更长的密码，以便于记忆。 尝试使用：

• A lyric from a song or poem
  歌曲或诗歌中的歌词
• A meaningful quote from a movie or speech
  电影或演讲中的有意义的语录
• A passage from a book
  一本书的一段
• A series of words that are meaningful to you
  一系列对您有意义的词
• An abbreviation: Make a password from the first letter of each word in a sentence”
  缩写：从句子中每个单词的第一个字母输入密码”

在每个网站上使用不同的密码 (Use Different Passwords on Every Website)

As shown in the 1.4 billion usernames and password list, as soon as one website is hacked, any other accounts on other websites you use with the same username and password are vulnerable to a takeover by a hacker.

如14亿用户名和密码列表所示，一旦一个网站被黑客入侵，您在其他网站上使用相同用户名和密码的任何其他帐户都容易受到黑客的接管。

We’ve all done it in the past, including me. We pick a handful of memorable passwords and use them across a range of sites. If you ever forget which one you’ve used you can always try them all until you get in. Eventually, it works. This is what hackers do too.

过去，包括我在内，我们都做到了。 我们选择了一些令人难忘的密码，并在许多站点中使用它们。 如果您忘记使用过哪款手机，则可以始终尝试全部使用，直到进入为止。最终，它会起作用。 黑客也是这么做的。

Use a different password on every website. That way, if your password ever gets leaked, it won’t be usable on any other website. As a bonus, if you know which site a password was used on, you’ll know which site’s have been hacked when your passwords do become public.

在每个网站上使用不同的密码。 这样，如果您的密码泄露了，它将无法在任何其他网站上使用。 另外，如果您知道使用密码的站点，则当密码公开时，您将知道哪个站点已被黑客入侵。

使用密码管理器 (Use a Password Manager)

Let’s be realistic… Having a separate password for every account is unmanageable for most of us. We can’t remember that many unique password combinations. Instead, use a password manager to store unique, strong passwords for all of your accounts.

现实一点吧……对我们大多数人来说，每个帐户都有一个单独的密码是无法管理的。 我们忘记了很多独特的密码组合。 而是使用密码管理器为您的所有帐户存储唯一的强密码。

Modern web browsers have password managers built-in. Companies like 1Password, LastPass, and Dashlane all offer free or paid-for alternatives. There are many options out there and you’re free to choose whichever you prefer. But please, use one and you’ll only need to remember one, very, very strong password to keep all your accounts safe.

现代网络浏览器内置了密码管理器。 像1Password ， LastPass和Dashlane这类公司都提供免费或付费的替代产品。 那里有很多选择，您可以自由选择喜欢的任何一个。 但是请使用一个，您只需要记住一个非常非常安全的密码即可保护所有帐户的安全。

Join the others in my private email list to stay up-to-date with my latest articles, videos, thoughts, and more.

将其他人加入我的私人电子邮件列表中，以了解我的最新文章，视频，想法等最新信息。

Originally published at https://craighays.com on September 4, 2020.

最初于 2020年9月4日 发布于 https://craighays.com 。

翻译自: https://medium.com/swlh/why-hackers-love-user-accounts-and-how-they-hack-them-d6beae2cd154

黑客喜欢攻击哪些网站