计算机密码安全建议 不要保存密码自动登录
14 views
Skip to first unread message
wanghx
Dec 15, 2009, 1:52:31 PM12/15/09
to wla...@googlegroups.com, wl...@googlegroups.com
和密码保护有关的安全建议:
重要的帐号,不要设置保存密码自动登录。文[5]中指出了这种方式的不安全性,但他推测的理由是不准确的。这是因为存贮的密码很容易从软件界面和不够安全 的本地存贮数据中截取,比如采用网站[6]提供的软件工具。
浏览器中,Outlook Express, Office Outlook, gtalk, msn, skype 等都不要自动登录。如果要让浏览器记住密码,Firefox 可以设置一个主密码来加密保存的网站登录密码。
Thunderbird 如果设置自动登录,必须设置主密码 (master password) 将密码加密保存。
特别需要安全的场合,可以点击 开始 / 运行,输入 osk.exe 运行 On-Screen Keyboard 屏幕键盘, 用鼠标点击屏幕键盘输入密码,并在输入过程中不断移动键盘窗口,使得鼠标动作更复杂。可以密码的部分键用鼠标输入,部分用键盘输入。这样只有监视窗口消息 和鼠标屏幕动作的木马,才能截取你的密码。
注意,osk.exe 屏幕键盘不能起到防止窃听窗口消息的木马窃取密码的作用,因为输入的信息依然要通过 windows 事件消息发送到接收密码的软件中。但它可以使得窃取密码更困难一点。
但是第2条中,keepass 所采用的内嵌屏幕键盘插件的方式,可以起到防止窃听键盘输入内容的作用。因为,输入的信息不经过 windows 事件消息,而是在软件内部传递的。
微软的两位研究员[1]提出了一种简便的防止密码被木马窃取的诀窍。方法是,在网页或者软件登录界面中输入密码的时候,每输入一个密码中的字符,就在其他 非密码输入位置点击一下鼠标,输入一些杂乱字符,然后再回到密码输入框输入下一个字符,如此重复直到输完密码。这样即便在有监视键盘和鼠标动作的不安全的 网吧计算机上,窃听键盘按键的木马也很难截取密码。
这种方法的原理是,木马用于截取密码的方法,一般无法知道你输入的字符在一个软件内部是如何分配的。当然,也有专门针对这一诀窍的破解方法,但是因为过于 复杂而目前的截取键盘的木马都不能支持,要每次按键都截取屏幕,配合截取的鼠标操作,来完成密码的截取。这样工作量太大了。
但是请注意,上述方法只能防范对键盘输入的软件窃听。如果一个软件保存和传递密码的方式不安全,那么即便采用这种方式,密码依然可能被网络窃听或者密码文 件解密手段窃取。
如果你能都英文,可以读一下这些防范木马的参考文献[1]-[4]。
如果有很多密码难记,可以用 keepass 密码备忘软件加密保存。用于加密保存密码备忘录的主密码可以用 OSK 屏幕键盘方式输入,更安全。keepass 也带屏幕键盘插件。
参考:
[1] Cormac Herley and Dinei Florencio: How To Login From an Internet Caf´e Without Worrying About Keyloggers; Microsoft Research, Redmond; http://cups.cs.cmu.edu/soups/2006/posters/herley-poster_abstract.pdf
[2] Nikolay Grebennikov: Keyloggers: How they work and how to detect them; Mar 29 2007; http://www.viruslist.com/en/analysis?pubid=204791931
[3] http://en.wikipedia.org/wiki/Keystroke_logging
[4] Yury Mashevsky; Alexey Monastyrsky; Konstantin Sapronov: Rootkits and how to combat them; Virus Analyst, Kaspersky Lab; Aug 19 2005; http://www.viruslist.com/en/analysis?pubid=168740859
[5] MSN和Gtalk的本地密码存在严重漏洞; 2008-9-21 12:23:9; http://www.williamlong.info/archives/1506.html
[6] http://www.google.com/search?hl=en&safe=off&rlz=1C1CHMG_enNL301NL303&q=+site:www.nirsoft.net+password+stored+reveal&ei=FKKBSujFGofw-Qb23LSyCg&sa=X&oi=manybox&resnum=2&ct=all-results
Asterisk Logger: Reveal/recover password behind asterisks (***)
If you want to reveal a password stored behind asterisks in a Pocket PC device, you may try the PocketAsterisk and RemotePocketAsterisk utilities. ...
www.nirsoft.net/utils/astlog.html
PasswordFox - Reveal the user names/passwords stored in Firefox
PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. ...
www.nirsoft.net/utils/passwordfox.html
WirelessKeyView: Recover lost WEP/WPA key/password stored by ...
Network Password Recovery - Recover Windows XP/Vista network passwords ... Be aware that this utility can only reveal the network keys stored by Windows ...
www.nirsoft.net/utils/wireless_key.html
AsterWin IE v1.03 - Reveal asterisk passwords in Internet Explorer
This utility reveals the passwords stored behind the asterisks in the web pages ... Explorer windows, and the password will be revealed after a few seconds. ...
www.nirsoft.net/utils/asterie.html
Netscapass v2.03
This utility can reveal the stored mail password (POP3 server password) for Netscape Communicator 4.x, Netscape 6.x and Netscape 7. It can also reveal the ...
www.nirsoft.net/utils/netscapass.html
IE PassView - Internet Explorer Password Viewer
Opera Password Recovery Master: Shareware tool that recover Opera Passwords. PasswordFox - Reveal the passwords stored in Firefox. ...
www.nirsoft.net/utils/internet_explorer_password.html
Protected Storage PassView v1.63: Recover Protected Storage passwords
The passwords are revealed by reading the information from the Protected ... strings stored in Internet Explorer, not only the AutoComplete password, ...
www.nirsoft.net/utils/pspv.html
AsterWin v1.20
Asterwin also cannot reveal the passwords in Internet Explorer Web pages, Because they are stored in different way than in other applications. if you want ...
www.nirsoft.net/utils/asterwin.html
NirSoft - freeware utilities: password recovery, system utilities ...
Network Password Recovery - Freeware utility that recovers the network passwords stored by Windows XP (Credentials file). Asterisk Logger - Reveal the ...
www.nirsoft.net/
3.01 PADGen 3.0.1.35 http://www.padgen.org Portable Application ...
This utility can reveal the passwords stored behind the asterisks in standard password text-boxes. Many applications, like CuteFTP, VNC, IncrediMail, ...
www.nirsoft.net/pad/astlog.xml
Dialupass: Recover lost dialup/RAS/VPN password in Windows XP/Vista/9x
Although the password is constantly stored in your computer, ... the Dialupass utility can reveal the Dial-Up passwords only if you are logged on with ...
www.nirsoft.net/utils/dialupass2.html
2.01 PADGen 2.0.1.22 http://www.padgen.org Portable Application ...
The passwords are revealed by reading the information from the Protected ... that reveals the passwords stored on your computer by Internet Explorer, ...
www.nirsoft.net/pad/pspv.xml
Win9x PassView v1.1
Description. The Win9x PassView utility reveals the passwords stored on your computer by Windows 95/98 operating system. It can reveal 4 types of passwords: ...
www.nirsoft.net/utils/win9xpv.html
Revealing the passwords behind asterisks in Internet Explorer
The following source code reveals the passwords stored behind the asterisks ... If IsPasswordBox(objElement) Then 'We found a password-box, so we reveal it ...
www.nirsoft.net/vb/reveal_ie_asterisk_passwords.html
Freeware Tools and System Utilities for Windows
This utility reveals the passwords stored on your computer by Internet Explorer, Outlook Express and POP3 accounts of MS-Outlook. The passwords are revealed ...
www.nirsoft.net/utils/index.html
Mail PassView: Password recovery for Outlook, Outlook Express ...
Added support for Gmail passwords stored by Google Desktop. 23/06/2006, 1.36. Fixed bug: Mail PassView didn't show Netscape/Thunderbird accounts when using ...
www.nirsoft.net/utils/mailpv.html
Password Recovery Tools for Windows
By default, PasswordFox displays the passwords stored in your current ... It can recover 2 of passwords: password stored for the current logged-on user ...
www.nirsoft.net/password_recovery_tools.html
Visual Basic Code Snippets and Utilities
This small utility reveals the passwords stored behind the asterisks in the web pages of Internet Explorer 5.0 and above. ...
www.nirsoft.net/vb/
重要的帐号,不要设置保存密码自动登录。文[5]中指出了这种方式的不安全性,但他推测的理由是不准确的。这是因为存贮的密码很容易从软件界面和不够安全 的本地存贮数据中截取,比如采用网站[6]提供的软件工具。
浏览器中,Outlook Express, Office Outlook, gtalk, msn, skype 等都不要自动登录。如果要让浏览器记住密码,Firefox 可以设置一个主密码来加密保存的网站登录密码。
Thunderbird 如果设置自动登录,必须设置主密码 (master password) 将密码加密保存。
特别需要安全的场合,可以点击 开始 / 运行,输入 osk.exe 运行 On-Screen Keyboard 屏幕键盘, 用鼠标点击屏幕键盘输入密码,并在输入过程中不断移动键盘窗口,使得鼠标动作更复杂。可以密码的部分键用鼠标输入,部分用键盘输入。这样只有监视窗口消息 和鼠标屏幕动作的木马,才能截取你的密码。
注意,osk.exe 屏幕键盘不能起到防止窃听窗口消息的木马窃取密码的作用,因为输入的信息依然要通过 windows 事件消息发送到接收密码的软件中。但它可以使得窃取密码更困难一点。
但是第2条中,keepass 所采用的内嵌屏幕键盘插件的方式,可以起到防止窃听键盘输入内容的作用。因为,输入的信息不经过 windows 事件消息,而是在软件内部传递的。
微软的两位研究员[1]提出了一种简便的防止密码被木马窃取的诀窍。方法是,在网页或者软件登录界面中输入密码的时候,每输入一个密码中的字符,就在其他 非密码输入位置点击一下鼠标,输入一些杂乱字符,然后再回到密码输入框输入下一个字符,如此重复直到输完密码。这样即便在有监视键盘和鼠标动作的不安全的 网吧计算机上,窃听键盘按键的木马也很难截取密码。
这种方法的原理是,木马用于截取密码的方法,一般无法知道你输入的字符在一个软件内部是如何分配的。当然,也有专门针对这一诀窍的破解方法,但是因为过于 复杂而目前的截取键盘的木马都不能支持,要每次按键都截取屏幕,配合截取的鼠标操作,来完成密码的截取。这样工作量太大了。
但是请注意,上述方法只能防范对键盘输入的软件窃听。如果一个软件保存和传递密码的方式不安全,那么即便采用这种方式,密码依然可能被网络窃听或者密码文 件解密手段窃取。
如果你能都英文,可以读一下这些防范木马的参考文献[1]-[4]。
如果有很多密码难记,可以用 keepass 密码备忘软件加密保存。用于加密保存密码备忘录的主密码可以用 OSK 屏幕键盘方式输入,更安全。keepass 也带屏幕键盘插件。
参考:
[1] Cormac Herley and Dinei Florencio: How To Login From an Internet Caf´e Without Worrying About Keyloggers; Microsoft Research, Redmond; http://cups.cs.cmu.edu/soups/2006/posters/herley-poster_abstract.pdf
[2] Nikolay Grebennikov: Keyloggers: How they work and how to detect them; Mar 29 2007; http://www.viruslist.com/en/analysis?pubid=204791931
[3] http://en.wikipedia.org/wiki/Keystroke_logging
[4] Yury Mashevsky; Alexey Monastyrsky; Konstantin Sapronov: Rootkits and how to combat them; Virus Analyst, Kaspersky Lab; Aug 19 2005; http://www.viruslist.com/en/analysis?pubid=168740859
[5] MSN和Gtalk的本地密码存在严重漏洞; 2008-9-21 12:23:9; http://www.williamlong.info/archives/1506.html
[6] http://www.google.com/search?hl=en&safe=off&rlz=1C1CHMG_enNL301NL303&q=+site:www.nirsoft.net+password+stored+reveal&ei=FKKBSujFGofw-Qb23LSyCg&sa=X&oi=manybox&resnum=2&ct=all-results
Asterisk Logger: Reveal/recover password behind asterisks (***)
If you want to reveal a password stored behind asterisks in a Pocket PC device, you may try the PocketAsterisk and RemotePocketAsterisk utilities. ...
www.nirsoft.net/utils/astlog.html
PasswordFox - Reveal the user names/passwords stored in Firefox
PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. ...
www.nirsoft.net/utils/passwordfox.html
WirelessKeyView: Recover lost WEP/WPA key/password stored by ...
Network Password Recovery - Recover Windows XP/Vista network passwords ... Be aware that this utility can only reveal the network keys stored by Windows ...
www.nirsoft.net/utils/wireless_key.html
AsterWin IE v1.03 - Reveal asterisk passwords in Internet Explorer
This utility reveals the passwords stored behind the asterisks in the web pages ... Explorer windows, and the password will be revealed after a few seconds. ...
www.nirsoft.net/utils/asterie.html
Netscapass v2.03
This utility can reveal the stored mail password (POP3 server password) for Netscape Communicator 4.x, Netscape 6.x and Netscape 7. It can also reveal the ...
www.nirsoft.net/utils/netscapass.html
IE PassView - Internet Explorer Password Viewer
Opera Password Recovery Master: Shareware tool that recover Opera Passwords. PasswordFox - Reveal the passwords stored in Firefox. ...
www.nirsoft.net/utils/internet_explorer_password.html
Protected Storage PassView v1.63: Recover Protected Storage passwords
The passwords are revealed by reading the information from the Protected ... strings stored in Internet Explorer, not only the AutoComplete password, ...
www.nirsoft.net/utils/pspv.html
AsterWin v1.20
Asterwin also cannot reveal the passwords in Internet Explorer Web pages, Because they are stored in different way than in other applications. if you want ...
www.nirsoft.net/utils/asterwin.html
NirSoft - freeware utilities: password recovery, system utilities ...
Network Password Recovery - Freeware utility that recovers the network passwords stored by Windows XP (Credentials file). Asterisk Logger - Reveal the ...
www.nirsoft.net/
3.01 PADGen 3.0.1.35 http://www.padgen.org Portable Application ...
This utility can reveal the passwords stored behind the asterisks in standard password text-boxes. Many applications, like CuteFTP, VNC, IncrediMail, ...
www.nirsoft.net/pad/astlog.xml
Dialupass: Recover lost dialup/RAS/VPN password in Windows XP/Vista/9x
Although the password is constantly stored in your computer, ... the Dialupass utility can reveal the Dial-Up passwords only if you are logged on with ...
www.nirsoft.net/utils/dialupass2.html
2.01 PADGen 2.0.1.22 http://www.padgen.org Portable Application ...
The passwords are revealed by reading the information from the Protected ... that reveals the passwords stored on your computer by Internet Explorer, ...
www.nirsoft.net/pad/pspv.xml
Win9x PassView v1.1
Description. The Win9x PassView utility reveals the passwords stored on your computer by Windows 95/98 operating system. It can reveal 4 types of passwords: ...
www.nirsoft.net/utils/win9xpv.html
Revealing the passwords behind asterisks in Internet Explorer
The following source code reveals the passwords stored behind the asterisks ... If IsPasswordBox(objElement) Then 'We found a password-box, so we reveal it ...
www.nirsoft.net/vb/reveal_ie_asterisk_passwords.html
Freeware Tools and System Utilities for Windows
This utility reveals the passwords stored on your computer by Internet Explorer, Outlook Express and POP3 accounts of MS-Outlook. The passwords are revealed ...
www.nirsoft.net/utils/index.html
Mail PassView: Password recovery for Outlook, Outlook Express ...
Added support for Gmail passwords stored by Google Desktop. 23/06/2006, 1.36. Fixed bug: Mail PassView didn't show Netscape/Thunderbird accounts when using ...
www.nirsoft.net/utils/mailpv.html
Password Recovery Tools for Windows
By default, PasswordFox displays the passwords stored in your current ... It can recover 2 of passwords: password stored for the current logged-on user ...
www.nirsoft.net/password_recovery_tools.html
Visual Basic Code Snippets and Utilities
This small utility reveals the passwords stored behind the asterisks in the web pages of Internet Explorer 5.0 and above. ...
www.nirsoft.net/vb/
--
本邮件带有本人数字签名以防止假冒和欺诈。请不要轻信来自本人 email 地址但没有正确 OpenPGP 数字签名的任何邮件中的链接和附件,以防欺诈网页和木马病毒。为验证本邮件的数字签名真伪,请从 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x260A66F94A8F0F26 获取我的公钥。
本邮件带有本人数字签名以防止假冒和欺诈。请不要轻信来自本人 email 地址但没有正确 OpenPGP 数字签名的任何邮件中的链接和附件,以防欺诈网页和木马病毒。为验证本邮件的数字签名真伪,请从 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x260A66F94A8F0F26 获取我的公钥。
Reply all
Reply to author
Forward
0 new messages