修改密码问题_修改密码

修改密码问题

As I’m writing this, most of us are stuck around the house due to Covid-19. If you’re quarantining on doctors orders, isolating on governors orders, or just taking the weekend off from your essential work, this may be a good time to fix your passwords.

在撰写本文时，由于Covid-19，我们大多数人都被困在房子周围。 如果您要根据医生的命令进行隔离，根据州长的命令进行隔离，或者只是将周末从基本工作中拿走，这可能是修改密码的好时机。

您的密码错误吗？ (Are your passwords bad?)

Statistically, yes. Studies come out all the time showing that a majority of people use terrible passwords, and they reuse them for every website. Until last year, I was re-using 3 passwords all over the internet.

从统计上讲，是的。 一直有研究表明，大多数人都使用可怕的密码，并且他们在每个网站上都重复使用它们。 直到去年，我在整个互联网上都重复使用了3个密码。

在线安全就像常规安全一样：有层次。 (Online security is like regular security: There’s levels to it.)

If you want to secure your house or work, you may do these:

如果您想保护自己的房屋或工作，可以执行以下操作：

1. Lock your door knob lock when you leave
   离开时锁上门把手锁
2. Get a deadbolt
   弄个螺栓
3. Get a motion activated light
   获取运动激活灯
4. Get a security system
   获取安全系统
5. Get security cameras
   获取安全摄像头
6. Hire an armed guard
   雇用一名武装警卫

There are obviously reasonable parts of this that everybody should do, and there are more advanced security that few people need. It doesn’t make sense to secure your house the same way they secure 1600 Pennsylvania Avenue.

显然，每个人都应该这样做，其中有合理的部分，而且很少有人需要更高级的安全性。 像保护宾夕法尼亚大道1600号一样保护您的房屋并没有意义。

密码也是如此。 (The same is true with passwords.)

Here are some reasonable steps you can use to secure your online accounts:

您可以使用一些合理的步骤来保护自己的在线帐户：

1. Use a different password for your email, bank, and social networks
   为您的电子邮件，银行和社交网络使用其他密码
2. Use a different password for every website
   为每个网站使用不同的密码
3. Lengthen and randomize your passwords
   延长密码并随机化
4. Use a phone number for 2 Factor Authentication
   使用电话号码进行2因素验证
5. Use an Authenticator App for 2 Factor Authentication
   使用Authenticator App进行2要素验证
6. Use a physical security key for 2 Factor Authentication
   使用物理安全密钥进行2因子身份验证

如何在线存储密码 (How Passwords should be Stored online)

I tried to keep this section simple, but it can get a little complicated.

我试图使本节保持简单，但可能会有些复杂。

The summary is: Good websites don’t store your password, but instead store some text that only your password could have created, but can’t be reversed.

总结是：好的网站不会存储您的密码，而是存储一些只能由您的密码创建但无法撤消的文本。

Imagine that your password is: “potato1"

假设您的密码是：“ potato1 ”

Good online sites will not store “potato1” in their database. They will store what is called a “hash” or, even better, a “salted hash.” These are not just breakfast terms anymore.

好的在线站点不会在其数据库中存储“ potato1 ”。 他们将存储所谓的“哈希”，甚至更好的是“盐哈希”。 这些不再只是早餐条款了。

Like breakfast, they take your password and cut it up and fry it in a pan in such a way you wouldn’t be able to determine what your original password was. This may look something like

就像早餐一样，他们将您的密码切成碎片并用平底锅炸，这样您就无法确定您的原始密码是什么。 这可能看起来像

“f1535ce1805987f0d854e54688476a02d14f33b47db57f26d17237b390960a47”

“ f1535ce1805987f0d854e54688476a02d14f33b47db57f26d17237b390960a47 ”

No matter how hard you try, you won’t be able to turn this random output back into “potato1”.

无论您多么努力，都无法将随机输出转换回“ potato1 ”。

However, next time you try to log in, they can hash your “potato1” and turn it into the same thing every time. If it matches, you’re in!

但是，下次您尝试登录时，他们可以对您的“ potato1 ”进行哈希处理，并且每次都将其变成相同的内容。 如果匹配，您就可以进入！

You can try this out yourself using this useful site.

您可以使用这个有用的网站自己尝试一下 。

But what if multiple users use “potato1” as their password? In the database, their passwords would match, and if you guessed one, you would get access to another.

但是，如果多个用户使用“ potato1 ”作为密码怎么办？ 在数据库中，它们的密码将匹配，并且如果您猜到一个，就可以访问另一个。

To prevent this and some other attacks, websites “salt” hashes. Think of this like adding a different set of other ingredients to each user’s hash to make it different.

为了防止这种攻击和其他攻击，网站“撒盐”了哈希值。 可以将其想象为在每个用户的哈希中添加不同的其他成分集，以使其与众不同。

“potato1bacon” -> “0e46bdf666355a16cdc550c17c1f79fa9a6b2ca072dfa783a8ad9cb66b8ad2a4”

“ 马铃薯 培根 ”->“ 0e46bdf666355a16cdc550c17c1f79fa9a6b2ca072dfa783a8ad9cb66b8ad2a4 ”

“potato1eggs” becomes

“ potato1 鸡蛋 ”成为

“28185e62879ece5e63fbac5b4d1185759e6470202d590682aa2abf2d191cb018”

“ 28185e62879ece5e63fbac5b4d1185759e6470202d590682aa2abf2d191cb018 ”

Good websites only store your hash and the salt they added, and there’s no way to match users or get your original password.

好的网站只会存储您的哈希值和它们添加的盐，而无法匹配用户或获取您的原始密码。

因此，如果密码存储安全，为什么要麻烦呢？ (So if passwords are stored securely, why bother?)

Websites should store passwords securely, but sometimes don’t and it’s almost impossible to tell which ones are doing it correctly.

网站应该安全地存储密码，但有时却不能，并且几乎不可能分辨出哪些密码正确无误。

Also, even if a website stores your password securely, you also have to send your actual password to them so they can log you in. What if they did that incorrectly? What if you’re in an insecure environment on public wifi? What if somebody managed to install something on your computer to track your keyboard inputs? What if somebody just guesses 10,000 passwords on your account?

同样，即使网站安全地存储了您的密码，您也必须将实际密码发送给他们，以便他们可以登录。如果他们输入的密码不正确怎么办？ 如果您在公共wifi上处于不安全的环境中怎么办？ 如果有人设法在您的计算机上安装一些东西来跟踪键盘输入怎么办？ 如果有人仅猜出您帐户中的10,000个密码怎么办？

All of these risks are reasonably small, but it could and does happen. Like with somebody breaking into your home, you’re trying to secure it enough so somebody will move on. At some point, if you have a big enough target on your back, somebody may still find a way to get in, but you don’t have to make it easy.

所有这些风险都相当小，但是可能并且确实发生。 就像有人闯入您的房屋一样，您正在设法确保足够的安全，以便有人继续前进。 在某个时候，如果您的背上有足够大的目标，也许有人仍然会找到一种进入的方法，但是您不必轻而易举。

Also, consider that the target may not be directly on your back, but on your workplace. If somebody is able to infect a workplace’s network with key loggers, they may get access to hundreds of accounts. Stealing one Amazon account is a lot of work for potentially very little reward, but stealing hundreds of accounts is much more likely to be profitable.

另外，请考虑目标可能不是直接背在您身上，而是在您的工作场所上。 如果有人能够通过按键记录器感染工作场所的网络，则他们可以访问数百个帐户。 窃取一个Amazon帐户的工作量很大，可能获得的回报很少，但是窃取数百个帐户更有可能获利。

两因素验证(2FA) (Two Factor Authentication (2FA))

“Two factor” authentication is when a website uses two distinct factors to identify that you are who you say you are. The three common factors to choose from are:

“两个因素”身份验证是指网站使用两个不同的因素来标识您的身份。 要选择的三个常见因素是：

1. Something you know: typically a password
   您知道的一点：通常是密码
2. Something you have (or have access to): SMS verification, Phone verification, email verification, Authenticator Apps, Physical Security Keys
   您拥有(或可以访问)的内容：短信验证，电话验证，电子邮件验证，身份验证器应用，物理安全密钥
3. Something you are: Biometrics like Fingerprint, FaceID
   您是什么：生物识别技术，例如指纹，FaceID

These three things are independent and hard to get access to. If an attacker is able to guess your password, it’s unlikely they’ll also have your fingerprint or have access to your cell phone.

这三件事是独立的，很难访问。 如果攻击者能够猜出您的密码，则他们不太可能还会拥有您的指纹或可以使用您的手机。

Given how complicated biometrics can be, most websites use “Something you know” and “Something you have.”

考虑到生物识别技术的复杂程度，大多数网站都会使用“您知道的东西”和“您拥有的东西”。

短信验证(不好) (SMS Verification (not great))

There have been lots of reports recently of people being hacked who had set up 2FA using SMS verification. This is done by an attacker who convinces your cell phone provider that they are you. All you have to do is trick some call center employee and they can get your phone number activated on the attacker’s spare SIM card and then they can get into your account, maybe even resetting everything with it.

最近，有许多关于使用SMS验证设置2FA的被黑客入侵的报告。 这是由使您的手机提供商确信您是您的攻击者完成的。 您所要做的就是欺骗某些呼叫中心员工，他们可以在攻击者的备用SIM卡上激活您的电话号码，然后他们可以进入您的帐户，甚至可以重置您的帐户。

SMS Verification is better than nothing, but given how frequent this attack is reported, I highly recommend staying away from it.

SMS验证总比没有强，但是鉴于报告了此攻击的发生频率，我强烈建议您远离它。

身份验证器应用程序(首选) (Authenticator Apps (preferred))

Authenticator apps are a mechanism that you can set up in advance with a website that generates a new code every 30 seconds. These are easy to use and very secure. There are very few attack vectors for these other than getting physical access to the device that was set up.

Authenticator应用程序是一种机制，您可以预先设置一个网站，该网站每30秒生成一个新代码。 这些易于使用且非常安全。 除了可以物理访问已设置的设备以外，几乎没有其他攻击媒介。

物理安全密钥(可能过大) (Physical Security Keys (probably overkill))

Physical security keys are little USB keys that contain a tiny computer which stores and processes data in a secure way. They are extremely secure, but sometimes cumbersome to set up or use frequently. If used, a user will plug in the USB key and touch some button on the device. The device reads data from the requesting website, does some calculations, then sends some data back to the requesting website which validates the response. It’s overkill for most people.

物理安全密钥是很小的USB密钥，其中包含一个微型计算机，该微型计算机以安全的方式存储和处理数据。 它们非常安全，但是有时设置或使用起来很麻烦。 如果使用，用户将插入USB密钥并触摸设备上的某些按钮。 设备从请求的网站读取数据，进行一些计算，然后将一些数据发送回请求的网站，以验证响应。 对大多数人来说，这太过分了。

解决问题 (Fixing the problems)

The best way to fix your online security is to combine 2FA and strong password usage to manage your risk.

解决在线安全问题的最佳方法是结合2FA和强大的密码使用来管理风险。

策略1：2FA的安全层 (Strategy 1: Security Tiers for 2FA)

We use a variety of sites that have different levels of impact if people were to get into them.

如果人们要进入，我们会使用各种影响力不同的站点。

For example:

例如：

1. The “I don’t care” tier: May contain things like Netflix, Hulu or other passwords you actively share with friends and family
   “我不在乎”层：可能包含诸如Netflix，Hulu或您积极与朋友和家人共享的其他密码之类的东西
2. The “I care” tier: Facebook, Twitter, Instagram. If somebody gets into these, you’re going to be upset, but you should be able to recover from it
   “我在乎”层：Facebook，Twitter，Instagram。 如果有人进入这些，您会感到沮丧，但是您应该能够从中恢复
3. The “I’m never going to financially recover from this” tier: Bank, Email, Amazon. If somebody gets your email, they can generally get access to any other website. If somebody gets into your bank, they can steal your money
   “我永远都不会从此财务上复苏”这一层：银行，电子邮件，亚马逊。 如果有人收到您的电子邮件，他们通常可以访问任何其他网站。 如果有人进入您的银行，他们可以偷您的钱

By dividing up your sites into tiers, you can add security to the ones that need it and have the highest risk. For example, for your most secure sites, it is a good idea to set up 2FA using an Authenticator App. It is probably a good idea to do this for your “I care” tier while you’re at it.

通过将站点划分为多个层，可以为需要它并具有最高风险的站点增加安全性。 例如，对于您最安全的站点，最好使用Authenticator App设置2FA。 当您在“我在乎”这一层时，这样做可能是一个好主意。

策略 2： 每个站点的密码不同 (Strategy 2: Different Passwords for each site)

There are multiple ways to use different passwords for every site, but there’s one clear thing that’s not an option: making up and remembering a totally unique password for each site.

有多种方法可以为每个站点使用不同的密码，但是有一个明确的选择不是：选择并记住每个站点的完全唯一的密码。

A simple option is to take a few base passwords and modify them based on the websites you’re accessing.

一个简单的选择是获取一些基本密码，然后根据您所访问的网站对其进行修改。

Let’s say one of your base passwords is “Password1”. To modify it, you could decide to use the 2nd letter and the length of the website’s name and add that into your password. For Amazon, you could add “m6” to form “Passm6word1” and for “Facebook” you could use “a8” to form “Passa8word1”. You could even do more complicated things, as long as you memorize how it works. With this approach, you’re basically salting your own passwords.

假设您的基本密码之一是“ Password1 ”。 要对其进行修改，您可以决定使用第二个字母和网站名称的长度，并将其添加到您的密码中。 对于A M松青，您可以添加“M6”，形成“ 通 M6 字1”和“F 一 cebook”你可以使用“A8”，形成“ 通 A8 WORD1”。 只要记住它的工作原理，您甚至可以做更复杂的事情。 通过这种方法，您基本上可以在自己的密码上加盐。

The better approach here is to use a password manager. A password manager is a website which stores all of your other passwords in a secure way. You can create completely random, long passwords and store them. With this, you just need to be extremely careful with your password manager password. If somebody can get into that, then they can get everything.

这里 的更好的方法是使用一个密码管理器。 密码管理器是一个以安全方式存储所有其他密码的网站。 您可以创建完全随机的长密码并进行存储。 这样，您只需要非常小心密码管理器密码即可。 如果有人能够做到这一点，那么他们就能得到一切。

Some well known password managers:

一些著名的密码管理器：

1. 1Password (I use this one!): $3 a month

   1Password ( 我用这个！ )：每月3美元

2. LastPass: Free option, $3 a month for slightly better plan

   LastPass ：免费选项，每月3美元，可享受更好的套餐

3. DashLane: $5 a month plan includes VPN

   DashLane ：每月5美元的计划包括VPN

4. NordPass: Free option, $2.50 a month for slightly better plan

   NordPass ：免费选项，每月$ 2.50，可享受更好的套餐

When evaluating Password managers, you should consider the following:

在评估密码管理器时，应考虑以下因素：

1. Do they support all of the devices you use?
   它们是否支持您使用的所有设备？
2. Do they have a good track record of security? (Look up the company!)
   他们是否有良好的安全记录？ (查找公司！)
3. Does it support 2FA to secure the password manager?
   它支持2FA来保护密码管理器吗？
4. Price?
   价钱？
5. Other services?
   其他服务？

应用策略 (Applying the strategies)

Once you have selected a password strategy and decided on your 2FA tiers, you can begin the process.

选择密码策略并确定2FA层后，即可开始该过程。

If you’re using a password manager, I suggest you expect to sit down for at least an hour or two to get the process started. Your goal should be to secure all of your high risk websites, maybe all of your social media, and a couple of low risk sites within the first sitting so you are comfortable with your new tools.

如果您使用的是密码管理器，建议您至少坐一两个小时以开始该过程。 您的目标应该是确保所有高风险网站(可能是所有社交媒体)以及几个低风险网站的安全都在首次使用之初，以便您对新工具感到满意。

打印恢复套件 (Print your Recovery Kit)

Most password managers have some sort of “Recovery Kit” or “Emergency Kit”. Your first step should be to print that and secure the paper. For a good password manager, if you lose your recovery kit and forget your password, you will be out of luck getting your passwords back.

大多数密码管理器都有某种“恢复工具包”或“紧急工具包”。 第一步应该是打印并固定纸张。 对于一个好的密码管理器来说，如果您丢失了恢复工具包却忘记了密码，那么您将很遗憾找回密码。

Do not proceed until you have exported this kit in some way ideally printing it.

在您以某种理想的方式导出了该工具包之前，请不要继续。

设置密码管理器2FA (Set up Password Manager 2FA)

Your password manager likely has 2FA using some mechanism. Given how high risk a password manager can be, I suggest using an Authenticator app for this. If you have a physical security key, this is a great place to add it, but be mindful that it may be hard to use it on a phone to log in there.

您的密码管理器可能使用某种机制具有2FA。 考虑到密码管理器的风险有多高，我建议为此使用Authenticator应用程序。 如果您有物理安全密钥，那么这是添加密钥的好地方，但是请注意，可能很难在手机上使用它来登录。

从简单开始 (Start simple)

Try to just change one of your low risk websites. This will give you an understanding of how the process and the tools work. If you do it wrong, you can always “reset password” and get it back through your email.

尝试只更改您的一个低风险网站。 这将使您了解流程和工具的工作方式。 如果做错了，您可以随时“重置密码”并通过电子邮件将其取回。

Do this once or multiple times until you’re comfortable. Try to access this website on your phone and tablet to make sure you understand it.

这样做一次或多次，直到您感到舒适为止。 尝试通过手机和平板电脑访问此网站，以确保您理解它。

批量导入 (Bulk Import)

Before I started using 1Password, I was using Google Password manager to auto-populate all my passwords in Google Chrome. Scarily enough, it offers an easy bulk export option where you can export all of your passwords to a file.

在开始使用1Password之前，我曾使用Google密码管理器在Google Chrome浏览器中自动填充所有密码。 足够奇怪的是，它提供了一个简单的批量导出选项，您可以在其中将所有密码导出到文件中。

If you have the same, this is a good time to bulk import all of the passwords into your password manager. Here is a guide from 1Password. Try logging into websites and when you’re comfortable that you have all of the passwords in your manager, this is a great time to delete them from the not-very-secure Google Password Manager and disable that functionality. Here is a guide from 1Password.

如果您拥有相同的密码，那么这是将所有密码批量导入到密码管理器中的好时机。 这是1Password的指南 。 尝试登录网站后，如果您感到自己在管理器中拥有所有密码，可以放心地将其从不是很安全的Google密码管理器中删除并禁用该功能。 这是1Password的指南 。

高风险地点 (High Risk Sites)

Now that you are totally within your password manager’s ecosystem, it is a good time to reset passwords for your high risk websites and add 2FA.

现在您已经完全处于密码管理器的生态系统中，现在是时候重置高风险网站的密码并添加2FA的好时机。

Since every site is different, you will have to log in and look around for yourself. The options should be under “Settings” or “Security” or something like that.

由于每个站点都不同，因此您必须登录并自己四处看看。 选项应位于“设置”或“安全性”或类似内容下。

Change the passwords and add 2FA. Many Password Managers offer a built-in authenticator app. Storing these two bits of information within the Password Manager gives you convenience when using it and ensures that an attacker would need access to your password manager to get into this site. It’s great and I highly suggest it.

更改密码并添加2FA。 许多密码管理器提供了内置的身份验证器应用程序。 将这两位信息存储在密码管理器中可以为您提供使用时的便利，并确保攻击者需要访问您的密码管理器才能进入该站点。 太好了，我强烈建议您这样做。

Also, this is a good time to do a “Force log out” on all of your high risk accounts. This will ensure that any places you previously logged in can’t get into your account.

另外，这是对所有高风险帐户进行“强制注销”的好时机。 这样可以确保您以前登录的任何地方都不会进入您的帐户。

不要一次全部尝试 (Don’t try to do it all at once)

If you have a lot of passwords, it can be daunting to try to do it all in one sitting. Don’t push yourself. Once you have all of your high risk sites secured, take a break. Come back to it in a few weeks. You’re taking the right steps, so you don’t need to push yourself.

如果您有很多密码，尝试一次坐下来可能会很困难。 别逼自己 固定所有高风险站点后，请休息一下。 几周后再回来。 您正在采取正确的步骤，因此您无需自己努力。

视频流网站 (Video Streaming sites)

Many of us share access to video streaming sites. Also, video streaming sites are often logged into on smart TVs.

我们许多人共享对视频流网站的访问。 此外，视频流网站通常会在智能电视上登录。

Most of the time you should use the random passwords, but this is an exception. These accounts are frequently logged into using TV remotes or game consoles and shared around, it’s best to use a human readable “memorable” password. It is still a good idea to have a separate password for each streaming service.

大多数时候，您应该使用随机密码，但这是一个例外。 这些帐户经常使用电视遥控器或游戏机登录并共享，最好使用人类可读的“难忘”密码。 为每个流服务提供一个单独的密码仍然是一个好主意。

你被黑了，不知道吗？ (Did you get hacked and not know it?)

Confession time: When I went through this process, I found 2 separate accounts that had been compromised for months and I had no idea: Hulu and Twitch. For me, I was locked out of resetting my own password on these two sites for various reasons. Shoutout to whoever got into my Hulu and made their own profile as to not mess with anybody’s recommendations!

坦白的时间：当我经历这个过程时，我发现了两个单独的帐户，这些帐户已经被盗用了几个月，而且我不知道：Hulu和Twitch。 对我来说，出于各种原因，我无法在这两个站点上重置自己的密码。 喊叫谁进入我的Hulu并发表自己的个人资料，以免干扰任何人的建议！

You may find this has happened to you. You may have to reach out to customer support. Explain to them how you are changing to use a password manager and you may have to tell them which email you were using on the account. They should hopefully be able to reset it to that specific email.

您可能会发现这种情况发生在您身上。 您可能需要联系客户支持。 向他们解释您如何更改使用密码管理器，并且您可能必须告诉他们您在该帐户上使用的是哪封电子邮件。 他们希望应该能够将其重置为该特定电子邮件。

翻译自: https://medium.com/@mcwttrs/fixing-your-passwords-5097d55c874b

修改密码问题