

It has become a cliché because — as is the case with most clichés — it’s true. You don’t bring a knife to a gunfight. Not if you want to have any hope of winning.

它已成为陈词滥调,因为-与大多数陈词滥调一样-是的。 你不带刀去打枪。 如果您希望有任何获胜的希望,那就不要。

Even if that knife is cutting-edge technology, so to speak. Even if is perfectly balanced and you’ve been practicing throwing it for months. Because a guy with a gun can still take you out from 100 yards away or more — vastly out of reach of your knife.

即使说那把刀是尖端技术,也可以这么说。 即使是完美平衡,而且您已经练习了数月的投掷。 因为拥有枪支的人仍然可以将您带离100码或更远的地方-远远超出了刀子的范围。

In the online world, a password, no matter how unique, long and complex, is the equivalent of the knife against the digital assault weapons that hackers bring to the fight.


Which is why World Password Day (celebrated earlier this month), however well intended, needs to be retired. Passwords need to go the way of the rotary phone and the manual typewriter. They can be celebrated as historical icons, but they are long past obsolete.

这就是为什么打算撤消世界密码日 (本月初庆祝)的原因。 密码需要使用旋转电话和手动打字机。 它们可以作为历史性的偶像来庆祝,但它们早已过时了。

This is not a revolutionary proposal. Smart, powerful tech gurus like former Microsoft chairman Bill Gates have been saying as much for coming on two decades. Gates forecast the demise of passwords at the 2004 RSA Conference, because “they just don’t meet the challenge for anything you really want to secure.”

这不是革命性的提议。 像前微软董事长比尔·盖茨(Bill Gates)这样的聪明,强大的技术专家已经对未来二十年提出了很多看法。 盖茨在2004年RSA大会上预测密码的消亡 ,因为“对于您真正想要保护的任何事物,它们都无法应对。”

That was multiple generations ago in information technology (IT). The skills, tools and aggressiveness of cyber attackers have increased by orders of magnitude since then. Which makes passwords — ineffective then — even less effective now. They offer less protection than a locked door with an arrow pointing to where the key is stuck under the doormat.

那是信息技术(IT)的多代历史。 从那时起,网络攻击者的技能,工具和攻击性就提高了几个数量级。 这使得密码-那时无效-甚至现在无效。 与带箭头的箭头指出钥匙在门垫下的锁定位置相比,它们提供的保护更少。

Even making them “strong” doesn’t help much. Brett McDowell, former executive director of the FIDO Alliance, has labeled the term “strong passwords” an oxymoron, no matter if the little bar changing from red to yellow to green makes you feel better when you are creating one.

即使使它们“强大”也无​​济于事。 FIDO Alliance前执行董事Brett McDowell曾将“强密码”一词标记为“矛盾”,无论从红色到黄色再到绿色的小条使您在创建一个时都感觉更好。

If you need any confirmation of that, the annual Verizon Data Breach Investigations Report (DBIR) consistently finds that the large majority of all data breaches involve stolen passwords.

如果您需要任何确认, Verizon年度数据泄露调查报告 (DBIR)始终会发现,所有数据泄露中绝大多数都涉及密码被盗。

Yes, there are better options


Perhaps if there was nothing better to replace them, one could make the argument that passwords are better than nothing. But there are better things, alternative means of authentication that are more secure and just as convenient — in some cases more convenient. Simply pressing a finger or speaking into a device is quicker than tapping a password on the tiny keyboard of your smartphone.

也许如果没有更好的替代方法,则可以提出这样一个论据,即密码总比没有好。 但是,还有更好的事情,更安全,更便捷的身份验证替代方法(在某些情况下更便捷)。 只需按一下手指或向设备讲话,比在智能手机的小键盘上轻按密码要快。

The FIDO Alliance’s goal, since its founding in 2012, has been to replace passwords with “an open, scalable, interoperable set of mechanisms” — a standard — for secure authentication.


That falls under the umbrella of “multifactor authentication,” which has been mainstream for most of the past decade and usually requires “something you know” (username and password) plus “something you have” (smartphone or token) and/or “something you are” (a biometric like fingerprint, voice, face, iris).


But the FIDO mechanisms are designed to eliminate the “something you know” part for two reasons. First, as is constantly being demonstrated, people can be tricked into giving away something they know. Second, the username/password combination is a “shared secret” because it resides not only on the user’s device but also on a central server somewhere that, as we all know, can get hacked.

但是FIDO机制旨在消除“您知道的部分”,这有两个原因。 首先,正如不断被证明的那样,人们可能被欺骗去泄露他们所知道的东西。 其次,用户名/密码组合是一个“共享的秘密”,因为它不仅驻留在用户设备上,而且还驻留在中央服务器上,众所周知,该服务器可能会遭到黑客入侵。

While nothing is 100% secure, compromising biometric and token authentications are much more difficult and in most cases can’t be done remotely — an attacker would have to get physical access to a device, since those “mechanisms” reside just on the device.


Yet passwords remain. They are still the primary means of authentication for just about everything people do online.

密码仍然存在。 它们仍然是人们在线上所做的所有事情的主要认证方式。

Which raises the obvious question: Why? It didn’t take long for LPs to disappear when CDs showed up, and CDs have all but vanished now that there are more convenient, and cheaper ways to “consume” music.

这就提出了一个明显的问题:为什么? 当CD出现时,LP很快就消失了,现在CD几乎消失了,因为现在有更方便,更便宜的“消费”音乐的方式。

Why not discard a method of authentication that makes you extra-vulnerable to all the nightmares of getting hacked — identity and financial theft for starters? Especially when there are better alternatives.

为什么不放弃一种身份验证方法,这种方法会使您在被黑客入侵的所有噩梦中更加脆弱-身份验证和初学者的财务失窃? 尤其是当有更好的选择时。

Indeed, Boris Cipot, senior security engineer at Synopsys, said he thinks even the word should be forbidden because it “misleads users into thinking that a passWORD can help them to be safe. A password, depending on the complexity, can be hacked in seconds.”

实际上,Synopsys的高级安全工程师Boris Cipot表示,他认为即使这个词也应被禁止,因为它“误导用户以为密码可以帮助他们安全。 根据复杂程度,可以在几秒钟内破解密码。”

Even worse, while a lengthy, complex password with a combination of letters, numbers and symbols is a bit more difficult to crack, “you many times get to a webpage where symbols are not even allowed,” he said.


Not to mention that, in spite of constant exhortations to make passwords long and complex and never use the same one for multiple accounts, most people do the opposite. Among the most common passwords is (drum roll) “password.”

更不用说,尽管人们不断地要求使密码又长又复杂,并且永远不要对多个帐户使用相同的密码,但是大多数人却相反。 最常见的密码是(鼓卷)“ password”。

Force of a bad habit


A major reason why passwords persist, said Andrew Shikiar, FIDO’s executive director, is simply habit. “People get used to a way of doing things,” he said.

FIDO执行董事Andrew Shikiar表示,密码持续存在的一个主要原因就是习惯。 他说:“人们习惯了一种处事方式。”

But he said major change is actually within sight — FIDO will be rolling out an educational campaign at the end of this month for both individual users and service providers that is meant to “drive adoption” of passwordless authentication. It will show them how to do it or provide it, starting with an “I-mark” (I, as in identity) that will appear much like the symbols for other standards like Bluetooth or WiFi.

但是他说,实际上即将发生重大变化-FIDO将在本月底针对个人用户和服务提供商推出一项教育运动,旨在“推动采用”无密码身份验证。 它将向他们展示如何做或提供它,方法是从一个“ I-mark”(即身份标识中的I)开始,该标志与蓝牙或WiFi等其他标准的符号非常相似。

“It will take some time,” he said, “but we’ve seen that people can adapt to things like PINs and TouchID.


Besides habit, Shikiar said other reasons that passwords have had what his predecessor, McDowell, frequently called “a long tail” is that it has taken time to build out the infrastructure for a new authentication standard and to get the major players on board.


Now, both are in place, he said, noting that the specifications of FIDO2, which launched in 2018, are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

他说,现在两者都到位,并指出FIDO2的规范于2018年发布,它是万维网联盟(W3C)的Web身份验证(WebAuthn)规范和FIDO Alliance的相应的客户 端到 身份验证器协议(CTAP)

And the biggest names in tech — Google, Apple, Intel, Microsoft, PayPal, Facebook, Amazon, VMware, Samsung, Bank of America, Wells Fargo and dozens more, along with all the major web browsers and an increasing number of telecoms — are supporting the FIDO standard.


The key, he said, is to get away from the “shared secret” model, so that nothing confidential “lives” on a server. “Even TouchID is backed by a password,” he noted.

他说,关键是要摆脱“共享机密”模型,从而使服务器上没有“机密”内容。 他说:“即使TouchID都有密码支持,”

How does it work? With the use of cryptographic login credentials from a device that pair with a “public key” on a server. “That key is meant to be public,” Shikiar said, “so it has no value to a hacker.” To unlock a phone, log in to a website or do any other authentication, “the user activates the private key with a fingerprint or some other token.”

它是如何工作的? 通过使用与服务器上的“公钥”配对的设备的加密登录凭据。 Shikiar说:“该密钥是公开的,因此对黑客没有任何价值。” 要解锁电话,登录网站或进行任何其他身份验证,“用户使用指纹或其他令牌激活私钥。”



Not only does this eliminate the password, it also offers protection against phishing attacks.


“There is communication exchanged, but what’s really important is the key pair — it’s a unique URL string,” he said. “If I get a phishing email telling me to ‘click here to reset something’ and I do, I’d be prompted to activate my private key. And when I do that, it won’t match,” meaning the user won’t end up on a malicious website.

他说:“交换了通信,但真正重要的是密钥对-它是唯一的URL字符串。” “如果收到一封网络钓鱼电子邮件,告诉我'单击此处重置某些内容',然后我收到了,则系统会提示我激活我的私钥。 而且当我这样做时,它将不匹配”,这意味着用户最终不会进入恶意网站。

Finally, there is a privacy benefit. Because the cryptographic keys are unique for each internet site, they can’t be used to track users across sites.

最后,还有隐私保护。 由于每个Internet站点的加密密钥都是唯一的,因此不能用于跨站点跟踪用户。

So is this really going to put thousands of cyber criminals on the unemployment line, given that phishing attacks have an astounding 40% success rate and, again according to Verizon, figure in nearly a third of all data breaches and 78% of cyber espionage attacks?

因此,这真的会使数千名网络罪犯陷入失业线,因为网络钓鱼攻击的成功率达到了惊人的40%,而且根据Verizon的说法,再次占所有数据泄露事件的近三分之一和网络间谍攻击的78% ?

That sounds like another cliché: Too good to be true.


And indeed, good doesn’t mean perfect. Malwarebytes Labs noted in a blog post that any user who loses or is tricked into giving away a private key (which could be something physical like a card reader or USB key) “is in for a multitude of problems: each service she signed in with using this combo could be compromised.”

确实,好的并不意味着完美。 Malwarebytes Labs在博客文章中指出,丢失或被欺骗泄露私钥(可能是诸如读卡器或USB密钥之类的物理东西)的任何用户“都会遇到很多问题:她登录时所使用的每项服务使用此组合可能会受到损害。”

But Shikiar cites a Google case study that he said proves FIDO2 is “unphishable.”

但是Shikiar引用了Google的一项案例研究 ,他说该案例证明FIDO2是“不会钓鱼的”。

And while he acknowledged a “potential backdoor” that could allow the takeover of an account that uses FIDO through “a falsified account recovery process of a ‘lost’ account,” he said FIDO “has started new work around identity verification and binding that will close that backdoor.”


Relatively speaking, however, those are low risks. For average users who simply want to take advantage of the promises of modern technology — online purchases, entertainment and communication — without having their identity stolen or their bank account looted, the coming authentication landscape promises to be vastly better than having their username and password for sale along with millions of others on the Dark Web.

但是,相对而言,这些风险较低。 对于只希望利用现代技术的承诺(在线购买,娱乐和通信)而又不会盗取其身份或抢劫其银行帐户的普通用户而言,即将到来的身份验证环境比其用户名和密码要好得多。以及暗网上的数百万其他销售。

As Cipot puts it, “It is possible to crack your fingerprint and open your phone, but you would still use it, as the chance of this happening is small.”


As in, lower risk and more convenience, since it should take even less time to unlock your phone or log in to a site than it does now.


Which we can only hope will allow us all to say, “R.I.P., World Password Day” sooner than later.

我们只能希望,这将使我们大家早晚说出“ RIP,世界密码日”。

翻译自: https://medium.com/swlh/lets-hope-the-most-recent-world-password-day-is-the-last-one-we-need-4ad3cb8e4127






