密碼太多記不住?請用密碼管理器
|
你有沒有用過ABCDE或12345作為網站密碼?如果用過,你不是一個人。太多人的網絡賬戶密碼都很簡單很常見,而且不同網站的賬戶經常使用同樣的密碼。
這么做相當于讓你的賬號對黑客敞開大門,他們可以輕易破解你的密碼。想解決問題,密碼管理器是其中一種方法,可以幫你在所有用過的網站上創建并存儲密碼,而且都是強度高的復雜密碼。
密碼管理器安全嗎?黑客能破解存在密碼管理器里的密碼嗎?問題的關鍵是不僅要保護你的密碼,還要保護你的密碼管理器。你能在市面上找到一大堆密碼管理器,有些是免費的,但大多數都需要按月或按年訂閱。
其中一些熱門產品包括LastPass、1Password、Dashlane、RoboForm、Keeper Security、KeePass和Sticky Password。它們中大部分的工作機制都很相似。你可以用這類軟件為指定網站生成安全密碼。密碼和用戶名會存在你電腦上,在這些程序的保險庫或數據庫里,也可能儲存在云上。
你需要打開網站時,就會自動登入用戶名和密碼,登陸網站。大多數密碼管理器都提供適用于Windows、macOS、iOS和安卓的不同版本,方便你在各類設備和各種瀏覽器上使用。
如果有人登入了你的計算機或移動設備怎么辦?他們能打開密碼管理器查看你的全部密碼嗎?當然,首先要做的始終是用強有力的安全措施保護好你的電腦或其它設備,比如使用密碼、PIN碼、指紋和面部識別等加密措施。
要想保護好你的密碼管理器,你還需要設置一個強有力的主密碼。主密碼負責鎖好進入密碼管理器的大門,這樣只有知道(或猜到)主密碼的人才能拿到你其他的密碼。
讓你的密碼更安全
你可以按照下面這些簡單的步驟來設置一個復雜的密碼。
主密碼需要比普通密碼更安全。這就意味著,它可能會很長,至少包含12個字符。它可能要同時包含大小寫字母、數字和特殊符號。
或者,它也可以是一個口令短語、一系列隨機單詞,這會比單個復雜密碼更安全。此外,還要把密碼管理器設置成不允許恢復或重置被忘記的主密碼。
當然,絕對不要忘記你的主密碼。
在移動設備上,密碼管理器能對主密碼實施保護。大多數密碼管理器現在都支持手機或平板電腦的各種內置安全措施——無論是PIN碼、指紋識別還是面部識別。如果是這樣,你應該利用好這種設置。
但是主密碼是否容易受到黑客攻擊,哪怕復雜的密碼也是如此?今年2月,獨立安全評估公司(ISE)進行的一項研究發現,有一些密碼管理器,即使被鎖定了,也會將主密碼以純文本的形式存儲在計算機內存上。
這意味著,擁有相關技能、工具和管理權限的人如果登陸或遠程登錄了你的計算機,這個人或許能拿到你的主密碼。
上述研究的首席研究員阿德里安·貝德納雷克稱,LastPass知道后已經像RoboForm一樣解決了這個問題。其他密碼管理器要么沒有這個問題,要么正在進行修復,也有一些還沒有解決問題的整體方案。貝德納雷克表示,ISE計劃在秋天開展后續研究,看看密碼管理器供應商是怎么解決這個缺陷的。
無論你使用的是哪種密碼管理器,第一步都要設置高強度密碼或者使用優質的安全軟件,防止別人未經授權訪問你的計算機。
為了提高保護等級,越來越多的密碼管理器現在提供雙重身份驗證服務。啟用身份驗證服務后,只要你想在新設備或其他設備上訪問密碼管理器,你的手機就會收到驗證碼。即使有人以某種方式拿到了你的主密碼,他們也無法在沒有驗證碼的情況下查看您的賬戶或數據。如果您的密碼管理器提供這種服務,請務必在設置中進行勾選。
擊退黑客
好的,現在你已經采取了盡可能多的措施來保護你的密碼管理器了。你儲存在云端的密碼怎么辦?有些密碼管理器把你的密碼信息存在本地,還有一些則進行在線存儲。
不管ISE研究的結果如何,把數據存儲在本地用戶的瀏覽器里似乎更安全,因為你的密碼永遠不會從你的計算機或移動設備中逃跑。但是,這意味著你無法輕松地在不同設備間共享或同步密碼。如果你需要使用多臺計算機和移動設備,把數據存在云里就更有優勢,因為它可以跨設備同步你的密碼。
如果有人黑入你密碼管理器的數據庫怎么辦?
首先,使用復雜的主密碼保護你的其他密碼,這條建議既適用于你的設備,也適用于你的云端賬戶。確保你的主密碼盡可能安全。
其次,你的密碼數據在云端和在設備間同步時,會進行保護和加密。當然,只要是數據庫,就有泄露的風險。LastPass已經因為一些安全漏洞和弱點受到了攻擊。另一個名為OneLogin的密碼管理器也出現過數據泄露情況。但是,目前所有密碼管理器供應商遭遇的數據泄露事件都沒有導致安全密碼的曝光。
是的,使用密碼管理器有利有弊。請記住,沒有100%的安全,只有保護層級的高低不同。此外,你的所有賬戶都使用弱密碼甚至是一模一樣的弱密碼造成的風險要遠遠超過密碼管理器可能帶來的任何風險。
在每個網站都能支持更好的身份驗證方式之前,我們必須得使用密碼。目前來看,用一個好的密碼管理器并盡可能地把它保護得滴水不漏是你最好的選擇。(財富中文網) 譯者:Agatha |
Have you ever used ABCDE or 12345 as a website password? If so, you’re not alone. Too many people use weak or common passwords for their online accounts and often the same password for multiple sites.
That approach leaves your passwords wide open to hackers who can quickly figure them out. Password managers are one solution as they can create, store, and apply strong and complex passwords for all the websites you use.
Are password managers safe? Can a hacker gain access to the passwords stored in your password manager? The trick lies in not just protecting your passwords but in protecting your password manager. You’ll find a potpourri of password managers on the market, and some are free but, most have a monthly or annual subscription.
Some popular products include LastPass, 1Password, Dashlane, RoboForm, Keeper Security, KeePass, and Sticky Password. Most of these work similarly. You use the software to generate a secure password for specific websites. That password and your username are stored in the program’s vault or database on your computer and potentially in the cloud.
When you need to open a site, your username and password are automatically applied to sign you in. Most password managers offer versions for Windows, macOS, iOS, and Android so that you can use them across all your devices and all your browsers.
What if someone gains access to your computer or mobile device? Can they open the password manager to see all your passwords? Of course, your first step should always be to protect your computer or device itself with strong security – password, PIN, fingerprint, and facial recognition.
To protect your password manager, you’ll also want to create a strong master password. The master password locks the door to the password manager so that only someone who knows it (or guesses it) can obtain your passwords.
Making your passwords more secure
Here’s where you need to follow those simple guidelines about creating a complex password.
Your master password needs to be much more secure than your average password. That might mean a lengthy password, at least 12 characters. That may mean a password with lower case and upper case letters, numbers, and special symbols.
Alternatively, it could mean a passphrase, a series of random words that can be even more secure than a single complex password. You also want to make sure the password manager does not allow the recovery or reset of a forgotten master password.
Of course, don’t ever forget your master password.
On your mobile device, the password manager secures the master password. Most password managers now support whatever built-in security you use to protect your phone or tablet – PIN, fingerprint recognition, and facial recognition. If so, you should avail yourself of that option.
Okay, but is a master password, even a complex one, vulnerable to hacking? In February, a study by researchers at Independent Security Evaluators (ISE) discovered that several password managers were storing the master password in computer memory in plain text even after the password manager was locked.
What this means if someone with the necessary skills, tools, and administrative privileges gained access to your computer, either physically or remotely, that person could potentially obtain the master password.
In response, LastPass has since resolved the issue as has RoboForm, according to Adrian Bednarek, lead researcher of the study. Other password managers don’t suffer from this issue, are working on a fix, or don’t have a solution to the overall problem. Bednarek said that ISE is planning a follow-up study in the fall to see how password managers have addressed this shortcoming.
Whichever password manager you use, always guard against this type of unauthorized access to your computer in the first place with a strong password and good security software.
For additional protection, more password managers now offer two-factor authentication. With the authentication enabled, you receive a code via your phone any time you try to access your password manager on a new or different device. Even if someone, somehow obtained your master password, that person would not be able to view your account or data without the code. If your password manager offers this option, be sure to turn it on.
Fighting off hackers
Okay, you’ve protected your password manager as much as possible on your end. What about your password data in the cloud? Password managers store your password information locally while others store your data online.
Despite the findings of the ISE study, storing the data locally in a user’s browser seem a safer bet as your passwords never venture beyond your computer or mobile device. However, this means you can’t easily share or sync your passwords across different devices. If you use multiple computers and mobile devices, storing your data in the cloud is a plus as it syncs your passwords across the board.
What if someone hacks into the database of your password manager?
First, the advice about protecting your passwords with a complex master password applies both for your own devices and for your cloud-based account. Make sure that the master password is as secure as possible.
Second, your password data is secured and encrypted in the cloud and when synced across your devices. Sure, there’s always a chance the database could be compromised. Some security flaws and vulnerabilities have hit LastPass. Another password manager called OneLogin has also been affected by breaches. However, no password manager provider has yet had a data breach that led to secure passwords exposed.
Yes, there are pros and cons to using a password manager. Keep in mind there is no such thing as 100% security, only higher and lesser degrees of protection. Also, the risks involved in using weak passwords and the same weak passwords on all your accounts far outweigh any potential risks of password managers.
Until every website supports a better means of authentication, we’re stuck with passwords. For now, using a good password manager and securing it as tightly as possible is your best bet. |
