idp 改善_改善密码

idp 改善

Improving password quality across your team or business is a challenging job. It’s also one of the most effective things you can do to become more secure. In this post, we’ll explain what we think are the most important steps to help you get this work underway.

提高团队或企业的密码质量是一项艰巨的任务。 这也是提高安全性的最有效措施之一。 在本文中，我们将解释我们认为最重要的步骤可以帮助您进行这项工作。

该做什么，不该做什么 (What to do, and what not to do)

The ultimate goal of improving passwords is to ensure that every person who logs into an account is the person intended to use it. Helping users make better decisions when setting passwords is a massive step towards achieving this goal.

改善密码的最终目的是确保每个登录帐户的人都是打算使用该密码的人。 设置密码时，帮助用户做出更好的决定是实现此目标的重要一步。

Often, and unfortunately, this work begins with draconian password requirements and policies being passed down from people in authority. But telling people with weak passwords that they have made bad decisions is not a good tactic. The people these policies are designed to influence are the ones most likely to be put off by them. It is far better to give them the right guidance and tools so that they can make good decisions.

通常，不幸的是，这项工作始于严厉的密码要求和从权威人士那里传下来的政策。 但是，告诉密码薄弱的人他们做出了错误的决定并不是一个好策略。 这些政策旨在影响的人是最有可能被他们推迟的人。 最好给他们正确的指导和工具，以便他们做出正确的决定。

No one likes being bossed around, and most people do want to do the right thing, so equipping them to help them to do that is an important piece of the puzzle.

没有人喜欢被老板欺负，大多数人确实想做正确的事，因此装备他们帮助他们做到这一点是一个重要的难题。

轻轻地，轻轻地抓住猴子 (Softly, softly, catch the monkey)

There are some concrete, technical controls that you can implement to help improve password quality, and we’ll talk about those in a moment. It’s also important to consider how to motivate people to behave in more secure ways. Or, in other words, to develop a more positive security culture.

您可以实施一些具体的技术控制来帮助提高密码质量，我们稍后将讨论这些内容。 考虑如何激励人们以更安全的方式行事也很重要。 或者换句话说，发展更积极的安全文化。

轻松做正确的事 (Make it easy to do the right thing)

Using strong, unique, unpredictable passwords for every account is a pain. Respond to this by making it easy to do the right thing: perhaps by rolling out password managers, or implementing passwordless approaches.

为每个帐户使用强大，唯一且不可预测的密码是很痛苦的。 为了解决这个问题，可以轻松地做正确的事：也许是推出密码管理器，或者实施无密码方法。

帮助人们了解 (Help people understand)

Communicate with your teams about security little and often, and tell them stories about breaches that have been caused by bad passwords. Make sure they are regularly exposed to information about security, so that it’s always a current issue for them. If someone understands the impact of bad passwords they are more likely to choose good ones.

经常与您的团队就安全性进行沟通，并告诉他们有关密码错误造成的破坏的故事。 确保他们定期获得有关安全性的信息，因此对于他们来说，这始终是当前的问题。 如果有人了解错误密码的影响，那么他们更有可能选择正确的密码。

不要以自己的方式 (Don’t get in your own way)

If you have tools or policies that force people to do the wrong thing (such as complexity requirements or regular password changes) change them proactively, so that you’re not contradicting yourself. Mixed messages and the sniff of hypocrisy will snuff out even the most well-intentioned effort to make change.

如果您拥有迫使人们做错事的工具或政策(例如，复杂性要求或定期更改密码)，请主动进行更改，以免与您自相矛盾。 混杂的信息和虚伪的嗅觉甚至会掩盖做出改变的最有意图的努力。

Next, we’ll talk more about some technical changes you can make.

接下来，我们将详细讨论您可以进行的一些技术更改。

对于员工账户 (For staff accounts)

Here are some steps you can take to improve password use by your staff. We’ve put the ones we think are most important first, based on our experience. Your priorities may vary, of course; however, the more of these you can complete, the better your account security will be:

您可以采取一些步骤来提高员工的密码使用率。 根据我们的经验，我们将最重要的问题放在首位。 当然，您的优先级可能会有所不同； 但是，您可以完成的操作越多，帐户安全性就越好：

1. Set a minimum password length of 12 characters
   设置密码的最小长度为12个字符
2. Ban any password containing the word “password” or the name of your company
   禁止任何包含单词“ password”或您的公司名称的密码
3. Begin enabling two-factor authentication (2FA) for all staff accounts, starting with those with the highest level of access to sensitive data and powerful functionality
   从对敏感数据和功能强大的访问权限最高的人员开始，为所有人员帐户启用两因素身份验证(2FA)
4. Set an account lockout policy, locking staff out after a set number of failed login attempts (between 5 and 10)
   设置帐户锁定策略，在尝试登录失败一定次数(5到10次)后将人员锁定
5. Acquire and deploy a password management application for all employees
   为所有员工获取并部署密码管理应用程序
6. Run a password cracking tool against your hashed passwords to identify existing weak passwords
   针对您的哈希密码运行密码破解工具，以识别现有的弱密码

对于用户帐户 (For user accounts)

If you have a service that members of the public can create accounts for, you also need to think about their passwords. This is potentially harder to control, so the steps are different. Again, these are in our recommended order of priority, and you might want to roll out some of these for staff accounts too!

如果您拥有公众可以为其创建帐户的服务，则还需要考虑其密码。 这可能很难控制，因此步骤是不同的。 同样，这些是我们建议的优先顺序，您可能还想将其中一些用于员工帐户！

1. Set a minimum password length of 12 characters
   设置密码的最小长度为12个字符
2. Ban any password containing “password”, the name of your company (and any sub-brand), and your web domain name
   禁止任何包含“密码”，公司名称(和任何子品牌)以及您的网络域名的密码
3. Ban any password found in the 10,000 most common passwords
   禁止在10,000个最常见的密码中找到的任何密码
4. Set an account lockout policy, locking users out after a set number of failed attempts (between 5 and 10)
   设置帐户锁定策略，在尝试失败一定次数(5到10次)后将用户锁定

5. Integrate the HaveIBeenPwned API with your login/registration mechanisms to prevent users setting passwords found in public data breaches

   将HaveIBeenPwned API与您的登录/注册机制集成在一起 ，以防止用户设置在公共数据泄露中发现的密码

6. On the login page, rename the “Password” field, “Passphrase”, and provide a link to a help page that explains passphrases
   在登录页面上，将“密码”字段重命名为“密码短语”，并提供指向说明密码短语的帮助页面的链接
7. Examine your registration page, and ban passwords containing words or phrases that can be derived from it
   检查您的注册页面，并禁止包含可能衍生自该单词或词组的密码
8. Finally, add a feature that shows the user guidance on creating a good passphrase after they attempt to set a blocked password
   最后，添加一项功能，以显示用户在尝试设置被阻止的密码后创建良好密码短语的指南。

也不要… (And do not…)

Finally, please do not do any of the following when setting up your password policy:

最后，设置密码策略时请不要执行以下任何操作：

• Do not make your staff or your users reset their passwords on a regular basis. Studies have shown, and our simulations have demonstrated to us, that regular password rotation only encourages users to use predictable patterns for passwords
  不要让您的员工或用户定期重设密码。 研究表明，我们的模拟向我们证明，定期的密码轮换只会鼓励用户使用可预测的密码模式
• Other than setting a minimum length, do not set password complexity rules. A password cracking tool doesn’t care how many special characters, numbers, or capital letters are in your password; the only thing that hinders it is password length
  除了设置最小长度外，请勿设置密码复杂性规则。 密码破解工具并不关心密码中包含多少个特殊字符，数字或大写字母。 唯一阻碍它的是密码长度
• On that subject, do not set a maximum length for passwords. If a user can remember a 24-character passphrase, then there’s no good reason to prevent them using one
  在此主题上，请勿设置密码的最大长度。 如果用户可以记住24个字符的密码短语，则没有充分的理由阻止他们使用一个
• Do not ban any characters. Some users may want to use special characters, and they should be able to do so. Anything that makes it easier for users to create memorable passwords is a good thing
  不要禁止任何字符。 一些用户可能想使用特殊字符，他们应该能够使用。 让用户更容易创建难忘的密码的任何事情都是一件好事

All of these measures have been ubiquitous for many years, but they have all been shown — objectively, mathematically and repeatedly — to make passwords worse.

所有这些措施已经普及了很多年，但客观，数学和反复地证明，所有这些措施都会使密码变得更糟。

支持您的用户 (Support your users)

Weak passwords are not solved by blaming or punishing the people who created them. They happen when password creators are not given the support they need. To encourage the correct behaviour, you need to provide training in good behaviours, user-centred help content, and the right tools for the job.

弱密码不能通过责怪或惩罚创建密码的人来解决。 当密码创建者得不到他们所需的支持时，就会发生这种情况。 为了鼓励正确的行为，您需要提供良好行为的培训，以用户为中心的帮助内容以及适合该工作的工具。

We recognise that not all of the steps we recommend are easy to take. They can present significant technological, communication, and cultural challenges. We have extensive experience in helping clients of our adversary simulation service improve their passwords. If you’d like to get in touch, we’d be happy to have an obligation-free conversation with you about how we can help.

我们认识到，并非我们建议的所有步骤都很容易执行。 他们可能会提出重大的技术，沟通和文化挑战。 我们在帮助对手模拟服务的客户改善密码方面拥有丰富的经验。 如果您想取得联系 ，我们很乐意与您进行无义务的交谈，以了解我们如何提供帮助。

进一步阅读 (Further reading)

This is a follow-up piece to our post Why we know your password, and what you can do about it, in which we talk more about how bad passwords arise and what form they take.

这是我们帖子的后续部分， 为什么我们知道您的密码，以及您可以如何做 ，在本文中，我们将更多地讨论错误密码的产生方式和采用的形式。

The NCSC has some excellent guidance on passwords, including:

NCSC在密码方面有一些出色的指导，包括：

• The Password administration for system owners collection

  系统所有者收集的密码管理

• Password managers: how they help you secure passwords

  密码管理器：他们如何帮助您保护密码

翻译自: https://medium.com/tradecraft/improving-your-passwords-65270dd877b

idp 改善