为什么我们对密码的了解都是错误的-优快云博客

NIST发布新指南，颠覆传统密码复杂性规则，强调密码长度、避免常用词汇及序列字符，建议使用密码短语并启用多因素认证，提升安全性。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

If you’re anything like me, you hate passwords. My particular personal bugbear is the U.S. Copyright Office, which has complexity rules so arcane that I can’t have my password manager automatically generate a password for it, and requires password changes every three months. Which I then have to write down somewhere because there’s no chance of me memorizing it.

如果您像我一样，就讨厌密码。我个人的烦恼是美国版权局(US Copyright Office)，该局的规则非常复杂，以至于我无法让我的密码管理器自动为其生成密码，并且需要每三个月更改一次密码。然后我必须在某个地方写下来，因为我没有机会记住它。

But that’s what it takes to be secure, right?

但这就是确保安全的前提，对吗？

Wrong, and cybersecurity experts who have been saying this for years are finally being listened to. NIST (National Institute of Standards and Technology) has issued a bunch of new guidelines. And those guidelines turn everything we thought we knew on its head.

错了，多年来一直在说这一点的网络安全专家终于得到了倾听。 NIST(美国国家标准技术研究院)发布了许多新指南。这些准则使我们以为我们所知道的一切变成了现实。

Image for post — Photo by Austin Distel on Unsplash

什么是新的NIST指南？ (What are the new NIST Guidelines?)

They’re in this paper, but as I’m sure you don’t want to read it I did so you don’t have to:

它们在本文中，但是我确定您不想阅读它，所以您不必：

Password length should be at least 8 characters if human generated, 6 if created by a machine, with a maximum length of at least 64 characters.
如果是人工生成的，则密码长度应至少为8个字符，如果是由计算机创建的，则密码长度应为6个字符，最大长度至少为64个字符。
Special characters, including spaces, should be allowed but not required. In other words, they’ve finally admitted that those arcane complexity rules are a net security negative because none of us can remember our passwords. No other complexity rules should be required.
特殊字符(包括空格)应被允许，但不是必需的 。换句话说，他们最终承认那些不可思议的复杂性规则是对网络安全的负面影响，因为我们谁都不记得我们的密码。不需要其他复杂性规则。
Password systems should prevent you from using passwords that were involved in known breaches, dictionary words, repetitive or sequential characters, the name of the service, your username, etc, and should tell you why you can’t use that password.
密码系统应防止您使用已知违规，词典词，重复或连续字符，服务名称，用户名等涉及的密码，并应告诉您为什么不能使用该密码。
Failed authentication attempt limits are a definite yes.
失败的身份验证尝试限制是肯定的。
Passwords should not be changed periodically. This is a big one. While the guideline is to keep companies (I see you, U.S. Copyright Office) from forcing periodic password changes, what this basically says is that you don’t need to change all of your passwords every few months. In fact, it’s bad because hackers target systems where passwords are changed frequently, and most people don’t change them by enough anyway.
密码不应该定期更换。这是一个很大的。虽然指导方针是防止公司(我看到您是美国版权局)强制定期更改密码，但这基本上是说您不必每隔几个月就更改一次所有密码 。实际上，这很糟糕，因为黑客的目标系统是经常更改密码的系统，而且大多数人无论如何都不会对其进行足够的更改。
Passwords should be changed if there is any indication they have been compromised.
如果有迹象表明密码已被盗用，则应更改密码。
The system should let you paste in a password. This makes using password managers easier.
系统应让您粘贴密码。这使使用密码管理器更加容易。
The system should allow you to opt in to seeing your password as it’s typed. (This is for accessibility).
系统应允许您选择查看输入的密码。 (这是为了可访问性)。
Multi-factor authentication is a good idea and should be used as much as possible.
多因素身份验证是一个好主意，应尽可能多地使用。
Secret questions are a bad idea and need to go away. (Maybe they worked when the amount of time to find out somebody’s mother’s maiden name wasn’t approx. five seconds).
秘密问题是一个坏主意，需要解决。 (也许当他们发现某人母亲的娘家姓的时间不超过五秒钟时，他们便开始工作了)。

There’s also a bunch of new rules about encryption and the like.

关于加密等也有很多新规则。

我们应该做什么？ (What Should We Do?)

Assuming you aren’t a sysadmin, in which case I’d hope you already know this stuff, then there’s a few things you might want to change as a result of this:

假设您不是系统管理员，那么在这种情况下，我希望您已经了解了这些知识，因此，您可能需要更改一些内容：

Use pass phrases any time the system allows it. Pass phrases are much harder for a computer to guess than passwords, and much easier for you to remember.
在系统允许的任何时间使用密码。密码短语比密码更难让计算机猜测，更容易记住。
Don’t change your password every three to six months. Change it only if you have reason to believe it’s been compromised. Check haveibeenpwned.com periodically to see if any of your accounts were compromised.
不要每三到六个月更改一次密码。仅当您有理由认为它已被破坏时才进行更改。定期检查haveibeenpwned.com，以查看您的帐户是否遭到入侵。
Don’t use the same password for multiple services. That’s how a bunch of people got their Disney + accounts stolen. Don’t blame Disney for that one.
请勿对多个服务使用相同的密码。这就是一群人被盗的迪士尼+帐户的方式。不要怪那个迪士尼。
Use a password manager. The ones built in to browsers are okay, but you should consider getting a separate password manager app.
使用密码管理器。内置在浏览器中的浏览器还可以，但是您应该考虑使用单独的密码管理器应用。
Use multi-factor authentication on any service that allows it unless it becomes too much of a pain. Sometimes, unfortunately, it just makes the account unusable under certain circumstances.
除非有太多麻烦，否则在允许它的任何服务上使用多因素身份验证。有时，不幸的是，这只会使该帐户在某些情况下无法使用。
If you’re still being forced to use security questions, lie. Most especially never use your mother’s maiden name (Whoever even thought that was a good idea).
如果您仍然被迫使用安全性问题，那就撒谎。最特别的是，不要使用母亲的娘家姓(甚至认为这是个好主意的人)。
If you must write down a password or the lies you answered security questions with, hide it and avoid noting which account it’s for if possible. Don’t store it on your computer.
如果您必须写下密码或用来回答安全性问题的谎言，请将其隐藏起来，并避免在可能的情况下注明使用的帐户。不要将其存储在计算机上。

So, basically? All of that “have at least one number and at least one special character and don’t have three of the same character.” (I see you again, U.S. Copyright Office) is all theater and no security, and it’s finally becoming more obvious to more people that we need to all go change our passwords to something we can actually remember.

所以，基本上？所有这些“至少具有一个数字和至少一个特殊字符，并且没有三个相同的字符。” (我再见，美国版权局)是剧院，没有安全保护，对于越来越多的人来说，我们都需要将自己的密码更改为我们可以真正记住的东西，这终于变得越来越明显。

Unfortunately, it’s very likely that most systems will still continue to require outdated and useless methods for a few years yet.

不幸的是，大多数系统很可能仍会在几年内继续使用过时且无用的方法。