密码太多记不住?请用密码管理器
|
你有没有用过ABCDE或12345作为网站密码?如果用过,你不是一个人。太多人的网络账户密码都很简单很常见,而且不同网站的账户经常使用同样的密码。
这么做相当于让你的账号对黑客敞开大门,他们可以轻易破解你的密码。想解决问题,密码管理器是其中一种方法,可以帮你在所有用过的网站上创建并存储密码,而且都是强度高的复杂密码。
密码管理器安全吗?黑客能破解存在密码管理器里的密码吗?问题的关键是不仅要保护你的密码,还要保护你的密码管理器。你能在市面上找到一大堆密码管理器,有些是免费的,但大多数都需要按月或按年订阅。
其中一些热门产品包括LastPass、1Password、Dashlane、RoboForm、Keeper Security、KeePass和Sticky Password。它们中大部分的工作机制都很相似。你可以用这类软件为指定网站生成安全密码。密码和用户名会存在你电脑上,在这些程序的保险库或数据库里,也可能储存在云上。
你需要打开网站时,就会自动登入用户名和密码,登陆网站。大多数密码管理器都提供适用于Windows、macOS、iOS和安卓的不同版本,方便你在各类设备和各种浏览器上使用。
如果有人登入了你的计算机或移动设备怎么办?他们能打开密码管理器查看你的全部密码吗?当然,首先要做的始终是用强有力的安全措施保护好你的电脑或其它设备,比如使用密码、PIN码、指纹和面部识别等加密措施。
要想保护好你的密码管理器,你还需要设置一个强有力的主密码。主密码负责锁好进入密码管理器的大门,这样只有知道(或猜到)主密码的人才能拿到你其他的密码。
让你的密码更安全
你可以按照下面这些简单的步骤来设置一个复杂的密码。
主密码需要比普通密码更安全。这就意味着,它可能会很长,至少包含12个字符。它可能要同时包含大小写字母、数字和特殊符号。
或者,它也可以是一个口令短语、一系列随机单词,这会比单个复杂密码更安全。此外,还要把密码管理器设置成不允许恢复或重置被忘记的主密码。
当然,绝对不要忘记你的主密码。
在移动设备上,密码管理器能对主密码实施保护。大多数密码管理器现在都支持手机或平板电脑的各种内置安全措施——无论是PIN码、指纹识别还是面部识别。如果是这样,你应该利用好这种设置。
但是主密码是否容易受到黑客攻击,哪怕复杂的密码也是如此?今年2月,独立安全评估公司(ISE)进行的一项研究发现,有一些密码管理器,即使被锁定了,也会将主密码以纯文本的形式存储在计算机内存上。
这意味着,拥有相关技能、工具和管理权限的人如果登陆或远程登录了你的计算机,这个人或许能拿到你的主密码。
上述研究的首席研究员阿德里安·贝德纳雷克称,LastPass知道后已经像RoboForm一样解决了这个问题。其他密码管理器要么没有这个问题,要么正在进行修复,也有一些还没有解决问题的整体方案。贝德纳雷克表示,ISE计划在秋天开展后续研究,看看密码管理器供应商是怎么解决这个缺陷的。
无论你使用的是哪种密码管理器,第一步都要设置高强度密码或者使用优质的安全软件,防止别人未经授权访问你的计算机。
为了提高保护等级,越来越多的密码管理器现在提供双重身份验证服务。启用身份验证服务后,只要你想在新设备或其他设备上访问密码管理器,你的手机就会收到验证码。即使有人以某种方式拿到了你的主密码,他们也无法在没有验证码的情况下查看您的账户或数据。如果您的密码管理器提供这种服务,请务必在设置中进行勾选。
击退黑客
好的,现在你已经采取了尽可能多的措施来保护你的密码管理器了。你储存在云端的密码怎么办?有些密码管理器把你的密码信息存在本地,还有一些则进行在线存储。
不管ISE研究的结果如何,把数据存储在本地用户的浏览器里似乎更安全,因为你的密码永远不会从你的计算机或移动设备中逃跑。但是,这意味着你无法轻松地在不同设备间共享或同步密码。如果你需要使用多台计算机和移动设备,把数据存在云里就更有优势,因为它可以跨设备同步你的密码。
如果有人黑入你密码管理器的数据库怎么办?
首先,使用复杂的主密码保护你的其他密码,这条建议既适用于你的设备,也适用于你的云端账户。确保你的主密码尽可能安全。
其次,你的密码数据在云端和在设备间同步时,会进行保护和加密。当然,只要是数据库,就有泄露的风险。LastPass已经因为一些安全漏洞和弱点受到了攻击。另一个名为OneLogin的密码管理器也出现过数据泄露情况。但是,目前所有密码管理器供应商遭遇的数据泄露事件都没有导致安全密码的曝光。
是的,使用密码管理器有利有弊。请记住,没有100%的安全,只有保护层级的高低不同。此外,你的所有账户都使用弱密码甚至是一模一样的弱密码造成的风险要远远超过密码管理器可能带来的任何风险。
在每个网站都能支持更好的身份验证方式之前,我们必须得使用密码。目前来看,用一个好的密码管理器并尽可能地把它保护得滴水不漏是你最好的选择。(财富中文网) 译者:Agatha |
Have you ever used ABCDE or 12345 as a website password? If so, you’re not alone. Too many people use weak or common passwords for their online accounts and often the same password for multiple sites.
That approach leaves your passwords wide open to hackers who can quickly figure them out. Password managers are one solution as they can create, store, and apply strong and complex passwords for all the websites you use.
Are password managers safe? Can a hacker gain access to the passwords stored in your password manager? The trick lies in not just protecting your passwords but in protecting your password manager. You’ll find a potpourri of password managers on the market, and some are free but, most have a monthly or annual subscription.
Some popular products include LastPass, 1Password, Dashlane, RoboForm, Keeper Security, KeePass, and Sticky Password. Most of these work similarly. You use the software to generate a secure password for specific websites. That password and your username are stored in the program’s vault or database on your computer and potentially in the cloud.
When you need to open a site, your username and password are automatically applied to sign you in. Most password managers offer versions for Windows, macOS, iOS, and Android so that you can use them across all your devices and all your browsers.
What if someone gains access to your computer or mobile device? Can they open the password manager to see all your passwords? Of course, your first step should always be to protect your computer or device itself with strong security – password, PIN, fingerprint, and facial recognition.
To protect your password manager, you’ll also want to create a strong master password. The master password locks the door to the password manager so that only someone who knows it (or guesses it) can obtain your passwords.
Making your passwords more secure
Here’s where you need to follow those simple guidelines about creating a complex password.
Your master password needs to be much more secure than your average password. That might mean a lengthy password, at least 12 characters. That may mean a password with lower case and upper case letters, numbers, and special symbols.
Alternatively, it could mean a passphrase, a series of random words that can be even more secure than a single complex password. You also want to make sure the password manager does not allow the recovery or reset of a forgotten master password.
Of course, don’t ever forget your master password.
On your mobile device, the password manager secures the master password. Most password managers now support whatever built-in security you use to protect your phone or tablet – PIN, fingerprint recognition, and facial recognition. If so, you should avail yourself of that option.
Okay, but is a master password, even a complex one, vulnerable to hacking? In February, a study by researchers at Independent Security Evaluators (ISE) discovered that several password managers were storing the master password in computer memory in plain text even after the password manager was locked.
What this means if someone with the necessary skills, tools, and administrative privileges gained access to your computer, either physically or remotely, that person could potentially obtain the master password.
In response, LastPass has since resolved the issue as has RoboForm, according to Adrian Bednarek, lead researcher of the study. Other password managers don’t suffer from this issue, are working on a fix, or don’t have a solution to the overall problem. Bednarek said that ISE is planning a follow-up study in the fall to see how password managers have addressed this shortcoming.
Whichever password manager you use, always guard against this type of unauthorized access to your computer in the first place with a strong password and good security software.
For additional protection, more password managers now offer two-factor authentication. With the authentication enabled, you receive a code via your phone any time you try to access your password manager on a new or different device. Even if someone, somehow obtained your master password, that person would not be able to view your account or data without the code. If your password manager offers this option, be sure to turn it on.
Fighting off hackers
Okay, you’ve protected your password manager as much as possible on your end. What about your password data in the cloud? Password managers store your password information locally while others store your data online.
Despite the findings of the ISE study, storing the data locally in a user’s browser seem a safer bet as your passwords never venture beyond your computer or mobile device. However, this means you can’t easily share or sync your passwords across different devices. If you use multiple computers and mobile devices, storing your data in the cloud is a plus as it syncs your passwords across the board.
What if someone hacks into the database of your password manager?
First, the advice about protecting your passwords with a complex master password applies both for your own devices and for your cloud-based account. Make sure that the master password is as secure as possible.
Second, your password data is secured and encrypted in the cloud and when synced across your devices. Sure, there’s always a chance the database could be compromised. Some security flaws and vulnerabilities have hit LastPass. Another password manager called OneLogin has also been affected by breaches. However, no password manager provider has yet had a data breach that led to secure passwords exposed.
Yes, there are pros and cons to using a password manager. Keep in mind there is no such thing as 100% security, only higher and lesser degrees of protection. Also, the risks involved in using weak passwords and the same weak passwords on all your accounts far outweigh any potential risks of password managers.
Until every website supports a better means of authentication, we’re stuck with passwords. For now, using a good password manager and securing it as tightly as possible is your best bet. |
