ac管理器管理员密码忘记了_人们为什么不使用密码管理器

最新推荐文章于 2024-09-24 22:35:45 发布

weixin_26741563

最新推荐文章于 2024-09-24 22:35:45 发布

阅读量321

点赞数

文章标签： python

原文链接：https://medium.com/@websec/why-dont-people-use-password-managers-15b895780b4f

版权

ac管理器管理员密码忘记了

Password managers generate secure, complex and unique passwords automatically for each website you make an account for. They remember the username and password automatically, too. This is very convenient for the majority of us who struggle to remember strong passwords.

密码管理器会为您创建帐户的每个网站自动生成安全，复杂且唯一的密码。他们也会自动记住用户名和密码。对于我们大多数想记住强密码的人来说，这非常方便。

Why then are they so little used, despite being around for decades? A survey[1] found that only 12% use them, and only 3% as the most common method. 65% mostly remembered them in their head, but this is only effective for weak passwords that are much more easily cracked by a hacker using automated tools. Let’s have a look at the reasons why we need password managers and how they fail to reach the most vulnerable people.

为什么它们尽管使用了几十年，却很少使用呢？一项调查[1]发现，只有12％的人使用它们，只有3％是最常用的方法。 65％的人大多记得他们的头脑，但这仅对弱密码有效，黑客利用自动工具更容易破解这些密码。让我们看一下为什么需要密码管理器的原因以及密码管理器无法覆盖最脆弱的人群的原因。

为什么需要密码管理器？ (Why do we need password managers?)

The easiest passwords to remember are short, use as few unique characters as possible and use natural words from a language. Unfortunately, these are also the easiest ones to crack using automated brute-force or dictionary attacks.

最容易记住的密码很短，使用的唯一字符越少越好，并且使用来自语言的自然词。不幸的是，这些也是使用自动暴力破解或字典攻击最容易破解的工具。

A study[2] found that 83% of Americans use these kind of weak passwords, and that 53% re-use them across accounts, most of whom were aware it is an insecure practice but did so anyway. Another study[3] found the figure to be 79% when counting people who only change a small part of the password for each new account.

一项研究[2]发现，83％的美国人使用这种弱密码，并且53％的人在各个帐户中重复使用它们，其中大多数人都知道这是不安全的做法，但还是这样做。另一项研究[3]发现，对每个新帐户仅更改一小部分密码的人进行计数时，该数字为79％。

People struggle not only to create and remember strong passwords but with the need to create completely unique ones for each domain, to prevent one hack from threatening other accounts as well. Most simply don’t bother.

人们不仅努力创建和记住强密码，而且还需要为每个域创建完全唯一的密码，以防止一个黑客也威胁其他帐户。最简单的就是不要打扰。

Enforcing strong password requirements in the workplace has even worsened security in many cases, leading to people writing them down where other employees can see them. This makes an easy target for malicious insiders.Any decent password manager will generate strong passwords uniquely for each site and store them securely, ready to be retrieved when needed and removing the need to remember or write them down. So why isn’t everyone using them?

在许多情况下，在工作场所强制执行严格的密码要求甚至使安全性恶化，导致人们将其写下来，以便其他员工可以看到它们。这使得容易成为恶意内部人员的目标。任何体面的密码管理器都会为每个站点唯一生成强密码，并将其安全地存储，随时可以在需要时进行检索，而无需记住或写下来。那么为什么每个人都不使用它们？

为什么密码管理器不受欢迎？ (Why are password managers unpopular?)

缺乏用户意识和/或对安全问题的关注 (Lack of user awareness and/or concern for security issues)

Improving the adoption of security tools involves integrating them as seamlessly as possible into the user experience. Users are focused on their primary goal, which for most is not security. Security which interrupts their primary goal will be met with annoyance, and the minimum amount of effort needed to make the security go away. It’s why most passwords are partially or completely reused: it’s more convenient than creating a new one and remembering/writing it down.

改善安全工具的采用率涉及将它们尽可能无缝地集成到用户体验中。用户专注于他们的主要目标，而这主要不是安全性。困扰他们主要目标的安全性将被烦恼所困扰，而使安全性消失所需的最小工作量。这就是为什么大多数密码被部分或全部重用的原因：比创建一个新密码并记住/写下来更方便。

It has been found that 18% of people use password storage in the browser, higher than the usage of secure password managers[1]. After logging in for the first time, your browser will probably prompt you, asking if you want it to save the password. This is pretty convenient, but the user has already created the (probably insecure) password. The password storage features that come with most browsers are not effective password managers because they don’t handle password generation. They’ve even been shown to encourage insecure password reuse[4]. Giving the user full responsibility in creating strong and unique passwords simply isn’t realistic given the limits of human memory, concentration and the increasingly large number of accounts that people own.

已经发现有18％的人使用浏览器中的密码存储，高于安全密码管理器的使用率[1]。首次登录后，浏览器可能会提示您，询问是否要保存密码。这很方便，但是用户已经创建了(可能不安全)密码。大多数浏览器附带的密码存储功能不是有效的密码管理器，因为它们不处理密码生成。他们甚至被证明可以鼓励不安全的密码重用[4]。考虑到人类记忆力，注意力的集中度以及人们拥有的帐户数量越来越多，让用户完全负责创建强大而独特的密码是不现实的。

A perfect solution then would be that users are given an in-page prompt by a password manager to generate a random password during registration. This makes the password generation process highly noticeable, convenient and potentially seamless — this is already the strategy of many existing password managers. However, research has found that people who install their own password manager tend to have a high level of computer ability [5] and already care strongly about security [6].

理想的解决方案是，密码管理器会向用户提供页内提示，以在注册期间生成随机密码。这使得密码生成过程非常引人注目，方便并且可能无缝—这已经是许多现有密码管理器的策略。但是，研究发现，安装自己的密码管理器的人往往具有较高的计算机能力[5]，并且已经非常在意安全性[6]。

Users of built-in tools e.g. browser password storage were more motivated by convenience and had less technical ability[6]. The lack of understanding or concern for security risks prevents less technical users from seeking out and installing secure password managers.

使用内置工具(例如浏览器密码)的用户更多是出于便利的动机，而技术能力却较低[6]。缺乏对安全风险的了解或担心会阻止较少的技术用户寻找和安装安全的密码管理器。

There is a much easier solution than trying to change the thinking of internet users to prioritize security. Organisations should install these tools by default on work computers, and browser developers should implement automatic password generation as an “opt-out” system, integrated with existing password storage functionality. Convenient security should be the norm, not an optional add-on.

比试图改变互联网用户的想法来优先考虑安全性，有一个简单得多的解决方案。组织应默认在工作计算机上安装这些工具，浏览器开发人员应将自动密码生成作为“退出”系统与现有密码存储功能集成在一起。方便的安全性应该成为规范，而不是可选的附加组件。

缺乏信任和可用性 (Lack of trust and usability)

Among both technical and non-technical users, it is very important that they trust the password manager before using it. It doesn’t take an expert to be wary of giving out your usernames and passwords to a third-party, never mind for all of your accounts. Such a thing is contrary to the usual advice about staying safe online.

无论是技术用户还是非技术用户，在使用密码管理器之前都必须信任密码管理器，这一点非常重要。无需专家就将您的用户名和密码透露给第三方，不必担心您的所有帐户。这样的事情与保持在线安全的通常建议背道而驰。

User mistrust tends to fall into two categories:

用户的不信任感通常分为两类：

What happens if I lose access to the password manager?
如果我无法访问密码管理器，该怎么办？
What happens if the password manager company steals my accounts?
如果密码管理器公司窃取了我的帐户，该怎么办？

Password managers have been criticized for creating a “single point of failure”. You’ll typically need to login using a master password, either as text or some other mechanism like a code on your phone. If a hacker gets hold of your master password then they’ll be able to see any passwords that were saved in the password manager. It needs to be secure. But you can’t save it in the password manager, so it’s back to using pen and paper. Or, horribly, creating a simple master password as it’s easy to remember. See the problem?

密码管理器因创建“单点故障”而受到批评。通常，您通常需要使用主密码登录，该密码可以是文本，也可以是手机上的代码之类的其他机制。如果黑客掌握了您的主密码，那么他们将能够看到密码管理器中保存的所有密码。它必须是安全的。但是您不能将其保存在密码管理器中，因此可以使用笔和纸。或者，很容易创建一个简单的主密码，因为它很容易记住。看到问题了吗？

Some managers get around this by using alternate methods such as 2FA on your phone. You’ll open an app and get a code to enter that only works for a short time. This is better, but now you have to worry about not losing your phone. Or someone else opening the app on your phone. Or perhaps the company has a server outage — some password managers really do store the passwords in the cloud. If you’re worried about this, then you can print out or write down the passwords and keep the paper somewhere safe where only you can read it. Now you don’t need to worry much about losing access beyond the inconvenience of it.

一些经理通过使用电话上的2FA等替代方法来解决此问题。您将打开一个应用程序，并获取输入的代码，该代码仅在短时间内有效。这样比较好，但是现在您必须担心不会丢失手机。或其他人在您的手机上打开该应用。或许公司的服务器中断了—一些密码管理器确实确实将密码存储在云中。如果您对此感到担心，则可以打印出或写下密码，并将纸张放在安全的地方，以便您只能阅读。现在，您无需担心因访问不便而失去访问权限。

So what if the company is actually malicious and wants to steal your accounts? It’s actually very rare, so long as you stick to common password managers and not shady ones with low users you find in the depths of the app store. But it’s still a factor, with some users reporting [6] they would happily use a tool by popular brands like Google but not a newer, less famous company.

那么，如果公司实际上是恶意的并且想要窃取您的帐户怎么办？实际上，这种情况非常罕见，只要您坚持使用通用密码管理器，而不是在应用商店的深处发现那些用户数量不多的黑幕。但这仍然是一个因素，一些用户报告[6]他们会很乐意使用Google等热门品牌的工具，但不会使用较新的，知名度较低的公司的工具。

The much more likely scenario is that the password manager has vulnerabilities that can be targeted by hackers to get access to your accounts. Security vulnerabilities were recently found [7] in the popular programs 1Password, Dashlane, Keepass and LastPass. It’s a legitimate concern that “putting all your eggs in one basket” is too risky. Some cope with this by only using the password manager for less sensitive accounts e.g. for social media and not banks. But the most sensitive accounts are the ones that need most protected, so password manager companies need to improve their image to win over these people.

更有可能的情况是密码管理器具有一些漏洞，黑客可以将这些漏洞作为目标以访问您的帐户。最近在流行的程序1Password，Dashlane，Keepass和LastPass中发现了安全漏洞[7]。合理地担心“将所有鸡蛋放入一个篮子”风险太大。有些人通过仅对不太敏感的帐户(例如社交媒体而不是银行)使用密码管理器来解决此问题。但是，最敏感的帐户是需要最受保护的帐户，因此密码管理器公司需要改善其形象才能赢得这些人的青睐。

摘要 (Summary)

Password managers are an effective solution at preventing hackers cracking passwords. They ideally make the registration and login process more convenient than normal by automatically creating and remembering strong, unique passwords. But commonly pre-installed tools lack important features like password generation, making them convenient but not secure. Password manager usage can be improved by pre-installing managers on organisation computers, as most users will not seek out alternatives on their own. If all popular browsers had this by default then it would become the norm.

密码管理器是防止黑客破解密码的有效解决方案。理想情况下，它们可以通过自动创建和记住强而独特的密码来使注册和登录过程比平常更方便。但是常用的预安装工具缺少诸如密码生成之类的重要功能，因此使它们方便但不安全。通过将密码管理器预安装在组织计算机上，可以改善密码管理器的使用，因为大多数用户不会自己寻找替代方法。如果所有流行的浏览器默认都具有此功能，则它将成为标准。

Additionally, many users mistrust password managers as they are perceived to be malicious, easily hacked, or unreliably store their data. The ongoing effort of several large password manager companies to reach a wide audience and improve their public image may convince more and more people to switch.

此外，许多用户不信任密码管理器，因为它们被认为是恶意的，容易被黑客入侵或存储的数据不可靠。几家大型密码管理器公司为扩大受众范围和改善公众形象所做的持续努力可能会说服越来越多的人转行。