计算机密码安全建议 不要保存密码自动登录
16 views
Skip to first unread message
wanghx
Aug 11, 2009, 1:05:49 PM8/11/09
to lihlii-g, 公民力量群发, gongmi...@googlegroups.com, China...@googlegroups.com
和密码保护有关的安全建议:
- 重要的帐号,不要设置保存密码自动登录。文[1]中指出了这种方式的不安全性,但他推测的理由是不准确的。这是因为存贮的密码很容易从软件界面和不够安全的本地存贮数据中截取,比如采用网站[2]提供的软件工具。
- 浏览器中,Outlook Express, Office Outlook, gtalk, msn, skype 等都不要自动登录。如果要让浏览器记住密码,Firefox 可以设置一个主密码来加密保存的网站登录密码。
- Thunderbird 如果设置自动登录,必须设置主密码 (master password) 将密码加密保存。
- 特别需要安全的场合,可以点击 开始 / 运行,输入 osk.exe 运行 On-Screen Keyboard 屏幕键盘, 用鼠标点击屏幕键盘输入密码,并在输入过程中不断移动键盘窗口,使得鼠标动作更复杂。可以密码的部分键用鼠标输入,部分用键盘输入。这样只有同时监视键盘和鼠标屏幕动作的木马,才能截取你的密码。
- 如果有很多密码难记,可以用 keepass 密码备忘软件加密保存。用于加密保存密码备忘录的主密码可以用 OSK 屏幕键盘方式输入,更安全。keepass 也带屏幕键盘插件。
Asterisk Logger: Reveal/recover password behind asterisks (***)
If you want to reveal a password stored behind asterisks in a Pocket PC device, you may try the PocketAsterisk and RemotePocketAsterisk utilities. ...
www.nirsoft.net/utils/astlog.html
PasswordFox - Reveal the user names/passwords stored in Firefox
PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. ...
www.nirsoft.net/utils/passwordfox.html
WirelessKeyView: Recover lost WEP/WPA key/password stored by ...
Network Password Recovery - Recover Windows XP/Vista network passwords ... Be aware that this utility can only reveal the network keys stored by Windows ...
www.nirsoft.net/utils/wireless_key.html
AsterWin IE v1.03 - Reveal asterisk passwords in Internet Explorer
This utility reveals the passwords stored behind the asterisks in the web pages ... Explorer windows, and the password will be revealed after a few seconds. ...
www.nirsoft.net/utils/asterie.html
Netscapass v2.03
This utility can reveal the stored mail password (POP3 server password) for Netscape Communicator 4.x, Netscape 6.x and Netscape 7. It can also reveal the ...
www.nirsoft.net/utils/netscapass.html
IE PassView - Internet Explorer Password Viewer
Opera Password Recovery Master: Shareware tool that recover Opera Passwords. PasswordFox - Reveal the passwords stored in Firefox. ...
www.nirsoft.net/utils/internet_explorer_password.html
Protected Storage PassView v1.63: Recover Protected Storage passwords
The passwords are revealed by reading the information from the Protected ... strings stored in Internet Explorer, not only the AutoComplete password, ...
www.nirsoft.net/utils/pspv.html
AsterWin v1.20
Asterwin also cannot reveal the passwords in Internet Explorer Web pages, Because they are stored in different way than in other applications. if you want ...
www.nirsoft.net/utils/asterwin.html
NirSoft - freeware utilities: password recovery, system utilities ...
Network Password Recovery - Freeware utility that recovers the network passwords stored by Windows XP (Credentials file). Asterisk Logger - Reveal the ...
www.nirsoft.net/
3.01 PADGen 3.0.1.35 http://www.padgen.org Portable Application ...
This utility can reveal the passwords stored behind the asterisks in standard password text-boxes. Many applications, like CuteFTP, VNC, IncrediMail, ...
www.nirsoft.net/pad/astlog.xml
Dialupass: Recover lost dialup/RAS/VPN password in Windows XP/Vista/9x
Although the password is constantly stored in your computer, ... the Dialupass utility can reveal the Dial-Up passwords only if you are logged on with ...
www.nirsoft.net/utils/dialupass2.html
2.01 PADGen 2.0.1.22 http://www.padgen.org Portable Application ...
The passwords are revealed by reading the information from the Protected ... that reveals the passwords stored on your computer by Internet Explorer, ...
www.nirsoft.net/pad/pspv.xml
Win9x PassView v1.1
Description. The Win9x PassView utility reveals the passwords stored on your computer by Windows 95/98 operating system. It can reveal 4 types of passwords: ...
www.nirsoft.net/utils/win9xpv.html
Revealing the passwords behind asterisks in Internet Explorer
The following source code reveals the passwords stored behind the asterisks ... If IsPasswordBox(objElement) Then 'We found a password-box, so we reveal it ...
www.nirsoft.net/vb/reveal_ie_asterisk_passwords.html
Freeware Tools and System Utilities for Windows
This utility reveals the passwords stored on your computer by Internet Explorer, Outlook Express and POP3 accounts of MS-Outlook. The passwords are revealed ...
www.nirsoft.net/utils/index.html
Mail PassView: Password recovery for Outlook, Outlook Express ...
Added support for Gmail passwords stored by Google Desktop. 23/06/2006, 1.36. Fixed bug: Mail PassView didn't show Netscape/Thunderbird accounts when using ...
www.nirsoft.net/utils/mailpv.html
Password Recovery Tools for Windows
By default, PasswordFox displays the passwords stored in your current ... It can recover 2 of passwords: password stored for the current logged-on user ...
www.nirsoft.net/password_recovery_tools.html
Visual Basic Code Snippets and Utilities
This small utility reveals the passwords stored behind the asterisks in the web pages of Internet Explorer 5.0 and above. ...
www.nirsoft.net/vb/
--
许志永被黑帮绑架 http://tr.im/vxqH
If you want to reveal a password stored behind asterisks in a Pocket PC device, you may try the PocketAsterisk and RemotePocketAsterisk utilities. ...
www.nirsoft.net/utils/astlog.html
PasswordFox - Reveal the user names/passwords stored in Firefox
PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. ...
www.nirsoft.net/utils/passwordfox.html
WirelessKeyView: Recover lost WEP/WPA key/password stored by ...
Network Password Recovery - Recover Windows XP/Vista network passwords ... Be aware that this utility can only reveal the network keys stored by Windows ...
www.nirsoft.net/utils/wireless_key.html
AsterWin IE v1.03 - Reveal asterisk passwords in Internet Explorer
This utility reveals the passwords stored behind the asterisks in the web pages ... Explorer windows, and the password will be revealed after a few seconds. ...
www.nirsoft.net/utils/asterie.html
Netscapass v2.03
This utility can reveal the stored mail password (POP3 server password) for Netscape Communicator 4.x, Netscape 6.x and Netscape 7. It can also reveal the ...
www.nirsoft.net/utils/netscapass.html
IE PassView - Internet Explorer Password Viewer
Opera Password Recovery Master: Shareware tool that recover Opera Passwords. PasswordFox - Reveal the passwords stored in Firefox. ...
www.nirsoft.net/utils/internet_explorer_password.html
Protected Storage PassView v1.63: Recover Protected Storage passwords
The passwords are revealed by reading the information from the Protected ... strings stored in Internet Explorer, not only the AutoComplete password, ...
www.nirsoft.net/utils/pspv.html
AsterWin v1.20
Asterwin also cannot reveal the passwords in Internet Explorer Web pages, Because they are stored in different way than in other applications. if you want ...
www.nirsoft.net/utils/asterwin.html
NirSoft - freeware utilities: password recovery, system utilities ...
Network Password Recovery - Freeware utility that recovers the network passwords stored by Windows XP (Credentials file). Asterisk Logger - Reveal the ...
www.nirsoft.net/
3.01 PADGen 3.0.1.35 http://www.padgen.org Portable Application ...
This utility can reveal the passwords stored behind the asterisks in standard password text-boxes. Many applications, like CuteFTP, VNC, IncrediMail, ...
www.nirsoft.net/pad/astlog.xml
Dialupass: Recover lost dialup/RAS/VPN password in Windows XP/Vista/9x
Although the password is constantly stored in your computer, ... the Dialupass utility can reveal the Dial-Up passwords only if you are logged on with ...
www.nirsoft.net/utils/dialupass2.html
2.01 PADGen 2.0.1.22 http://www.padgen.org Portable Application ...
The passwords are revealed by reading the information from the Protected ... that reveals the passwords stored on your computer by Internet Explorer, ...
www.nirsoft.net/pad/pspv.xml
Win9x PassView v1.1
Description. The Win9x PassView utility reveals the passwords stored on your computer by Windows 95/98 operating system. It can reveal 4 types of passwords: ...
www.nirsoft.net/utils/win9xpv.html
Revealing the passwords behind asterisks in Internet Explorer
The following source code reveals the passwords stored behind the asterisks ... If IsPasswordBox(objElement) Then 'We found a password-box, so we reveal it ...
www.nirsoft.net/vb/reveal_ie_asterisk_passwords.html
Freeware Tools and System Utilities for Windows
This utility reveals the passwords stored on your computer by Internet Explorer, Outlook Express and POP3 accounts of MS-Outlook. The passwords are revealed ...
www.nirsoft.net/utils/index.html
Mail PassView: Password recovery for Outlook, Outlook Express ...
Added support for Gmail passwords stored by Google Desktop. 23/06/2006, 1.36. Fixed bug: Mail PassView didn't show Netscape/Thunderbird accounts when using ...
www.nirsoft.net/utils/mailpv.html
Password Recovery Tools for Windows
By default, PasswordFox displays the passwords stored in your current ... It can recover 2 of passwords: password stored for the current logged-on user ...
www.nirsoft.net/password_recovery_tools.html
Visual Basic Code Snippets and Utilities
This small utility reveals the passwords stored behind the asterisks in the web pages of Internet Explorer 5.0 and above. ...
www.nirsoft.net/vb/
--
许志永被黑帮绑架 http://tr.im/vxqH
wanghx
Aug 17, 2009, 8:15:48 AM8/17/09
to lihlii-g, 公民力量群发, gongmi...@googlegroups.com, China...@googlegroups.com
- 特别需要安全的场合,可以点击 开始 / 运行,输入 osk.exe 运行 On-Screen Keyboard 屏幕键盘, 用鼠标点击屏幕键盘输入密码,并在输入过程中不断移动键盘窗口,使得鼠标动作更复杂。可以密码的部分键用鼠标输入,部分用键盘输入。这样只有同时监视键盘和鼠标屏幕动作的木马,才能截取你的密码。
- 如果有很多密码难记,可以用 keepass 密码备忘软件加密保存。用于加密保存密码备忘录的主密码可以用 OSK 屏幕键盘方式输入,更安全。keepass 也带屏幕键盘插件。
注意,如上第1条说法是错误的。 osk.exe 屏幕键盘不能起到防止窃听键盘输入内容的木马窃取密码的作用,因为输入的信息依然要通过 windows 事件消息发送到接收密码的软件中。这是我的失误。
但是第2条中,keepass 所采用的内嵌屏幕键盘插件的方式,可以起到防止窃听键盘输入内容的作用。因为,输入的信息不经过 windows 事件消息,而是在软件内部传递的。
微软的两位研究员[1]提出了一种简便的防止密码被木马窃取的诀窍。方法是,在网页或者软件登录界面中输入密码的时候,每输入一个密码中的字符,就在其他 非密码输入位置点击一下鼠标,输入一些杂乱字符,然后再回到密码输入框输入下一个字符,如此重复直到输完密码。这样即便在有监视键盘和鼠标动作的不安全的 网吧计算机上,窃听键盘按键的木马也很难截取密码。
这种方法的原理是,木马用于截取密码的方法,一般无法知道你输入的字符在一个软件内部是如何分配的。当然,也有专门针对这一诀窍的破解方法,但是因为过于 复杂而目前的截取键盘的木马都不能支持,要每次按键都截取屏幕,配合截取的鼠标操作,来完成密码的截取。这样工作量太大了。
但是请注意,上述方法只能防范对键盘输入的软件窃听。如果一个软件保存和传递密码的方式不安全,那么即便采用这种方式,密码依然可能被网络窃听或者密码文件解密手段窃取。
如果你能都英文,可以读一下这些防范木马的参考文献[1]-[4]。
参考:
[2]
Nikolay Grebennikov: Keyloggers: How they work and how to detect them;
Mar 29 2007; http://www.viruslist.com/en/analysis?pubid=204791931
[3] http://en.wikipedia.org/wiki/Keystroke_logging
[4] Yury Mashevsky; Alexey Monastyrsky; Konstantin Sapronov: Rootkits and how to combat them; Virus Analyst, Kaspersky Lab; Aug 19 2005; http://www.viruslist.com/en/analysis?pubid=168740859
[3] http://en.wikipedia.org/wiki/Keystroke_logging
[4] Yury Mashevsky; Alexey Monastyrsky; Konstantin Sapronov: Rootkits and how to combat them; Virus Analyst, Kaspersky Lab; Aug 19 2005; http://www.viruslist.com/en/analysis?pubid=168740859
--
许志永被黑帮绑架 http://tr.im/vxqH
许志永被黑帮绑架 http://tr.im/vxqH
Reply all
Reply to author
Forward
0 new messages