网络安全指南 一个好的密码策略
4 views
Skip to first unread message
wanghx
Sep 18, 2010, 11:41:52 AM9/18/10
to Salon Friends, lihlii-g, po...@lihlii.posterous.com, jr...@googlegroups.com, wl...@googlegroups.com, wla...@googlegroups.com
一个好的密码策略是,选一个你容易记住的长句子,比如诗句,选每个字拼音首字母,作为密码。
你很容易记而别人很难猜到。
用这个长密码作为主密码前缀。
对每个不同帐号,再选一个短而容易记的,和网站相关的密码后缀。
每个帐号的密码由同样的主密码前缀和不同的短密码后缀构成[1]。
这样,即便一个帐号的密码失窃[4],窃贼也无法容易地知道你其他帐号的密码。
而你却很容易记住每个帐号的密码。
比如,
选一个长密码前缀:天然一个仙人洞无限风光在险峰 trygxrdwxfgzxf
这串字符看起来无意义,但对你有意义。;)
然后,选择
gmail 帐号密码后缀为 gm01
hotmail 帐号密码后缀为 h0m
这样,
gmail 密码为 trygxrdwxfgzxfgm01
hotmail 密码为 trygxrdwxfgzxfh0m
这样如果窃取了一个密码,是很难分清哪一部分是前缀,哪一部分是后缀的,也就很难猜测其他帐号密码。
即便窃取了两个帐号的密码,知道了共同的前缀,要猜测第三个帐号的后缀,毕竟还是需要一点时间的。
这样的密码强度[2]很高,但记忆负担却并不很大。
为了防止遗忘密码,学会用 keepass [7]保存网络密码,这样不会因为记不住而都用同样密码而带来密码失窃导致全部帐号被窃取的危险。
特别注意,不要为了偷懒而在办公,网吧,旅店等公用计算机上保存帐号密码。在私人电脑上保存密码,也必须选择支持主密码加密的软件[3],最好不要保存帐 号密码。因为保存的密码不一定加密保存,很容易用软件工具[5][6]破解获取。
参考:
[1] Security Simplified: The Base+Suffix Method for Memorable Strong Passwords; Thursday, February 19th, 2009; http://luxsci.com/blog/security-simplified-the-basesuffix-method-for-memorable-strong-passwords.html
[2] Cracking Passwords in the Cloud: Insights on Password Policies; THURSDAY, OCTOBER 29, 2009; http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
[3] Master Password Encryption in FireFox and Thunderbird; Friday, February 27th, 2009; http://luxsci.com/blog/master-password-encryption-in-firefox-and-thunderbird.html
[4] SniffPass v1.12 - Password Monitoring Software; http://www.nirsoft.net/utils/password_sniffer.html
[5] Mail PassView - Recover POP3/IMAP/SMTP email passwords; http://www.nirsoft.net/utils/password_sniffer.html
[6] Dialupass - Recover VPN/RAS/Dialup passwords; http://www.nirsoft.net/utils/dialupass2.html
[7] Five Best Password Managers; http://lifehacker.com/5042616/five-best-password-managers
[15] 编程随想:如何防止黑客入侵
https://www.google.com/buzz/changsimeng/Wk4kHpyx6Yz/
http://blog.csdn.net/program_think/archive/2010/06/09/5657262.aspx
https://www.google.com/buzz/changsimeng/HsT1eTZ7iyg/
http://program-think.blogspot.com/2010/06/howto-prevent-hacker-attack-1.html
http://blog.csdn.net/program_think/archive/2010/06/09/5657269.aspx
http://program-think.blogspot.com/2010/06/howto-prevent-hacker-attack-2.html
http://blog.csdn.net/program_think/archive/2010/06/15/5673033.aspx
http://program-think.blogspot.com/2010/06/howto-prevent-hacker-attack-3.html
http://blog.csdn.net/program_think/archive/2010/06/20/5682094.aspx
https://www.google.com/buzz/program.think/KP2FrN4c4RH/
https://www.google.com/buzz/program.think/66R8cijnwGM/
http://program-think.blogspot.com/2010/08/howto-prevent-hacker-attack-4.html
http://blog.csdn.net/program_think/archive/2010/08/02/5783947.aspx
[16] 编程随想:CNNIC证书的危害及各种清除方法
https://www.google.com/buzz/changsimeng/b5dVmPZSe6p/
http://program-think.blogspot.com/2010/02/remove-cnnic-cert.html
http://blog.csdn.net/program_think/archive/2010/02/16/5309699.aspx
http://program-think.blogspot.com/2010/02/about-cnnic.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!623.entry
http://program-think.blogspot.com/2010/02/introduce-digital-certificate-and-ca.html
http://blog.csdn.net/program_think/archive/2010/02/08/5300184.aspx
[17] 编程随想:如何隐藏你的踪迹,避免跨省追捕
https://www.google.com/buzz/changsimeng/Az9MioJQvsQ/
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-0.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!674.entry
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-1.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!675.entry
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-2.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!678.entry
http://program-think.blogspot.com/2010/05/howto-cover-your-tracks-3.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!689.entry
[18] 编程随想:信息安全之社会工程学; https://www.google.com/buzz/104802289453542970648/N88CucN5YsT/
http://program-think.blogspot.com/2009/05/social-engineering-0-overview.html
http://blog.csdn.net/program_think/archive/2009/05/05/4152922.aspx
http://program-think.blogspot.com/2009/05/social-engineering-1-gather-information.html
http://blog.csdn.net/program_think/archive/2009/05/06/4156187.aspx
http://program-think.blogspot.com/2009/05/social-engineering-2-pretend.html
http://blog.csdn.net/program_think/archive/2009/05/09/4164242.aspx
http://program-think.blogspot.com/2009/05/social-engineering-3-influence.html
http://blog.csdn.net/program_think/archive/2009/05/19/4202545.aspx
http://program-think.blogspot.com/2009/06/social-engineering-4-example.html
http://blog.csdn.net/program_think/archive/2009/06/07/4250266.aspx
http://program-think.blogspot.com/2009/07/social-engineering-5-defend.html
http://blog.csdn.net/program_think/archive/2009/07/08/4329731.aspx
你很容易记而别人很难猜到。
用这个长密码作为主密码前缀。
对每个不同帐号,再选一个短而容易记的,和网站相关的密码后缀。
每个帐号的密码由同样的主密码前缀和不同的短密码后缀构成[1]。
这样,即便一个帐号的密码失窃[4],窃贼也无法容易地知道你其他帐号的密码。
而你却很容易记住每个帐号的密码。
比如,
选一个长密码前缀:天然一个仙人洞无限风光在险峰 trygxrdwxfgzxf
这串字符看起来无意义,但对你有意义。;)
然后,选择
gmail 帐号密码后缀为 gm01
hotmail 帐号密码后缀为 h0m
这样,
gmail 密码为 trygxrdwxfgzxfgm01
hotmail 密码为 trygxrdwxfgzxfh0m
这样如果窃取了一个密码,是很难分清哪一部分是前缀,哪一部分是后缀的,也就很难猜测其他帐号密码。
即便窃取了两个帐号的密码,知道了共同的前缀,要猜测第三个帐号的后缀,毕竟还是需要一点时间的。
这样的密码强度[2]很高,但记忆负担却并不很大。
为了防止遗忘密码,学会用 keepass [7]保存网络密码,这样不会因为记不住而都用同样密码而带来密码失窃导致全部帐号被窃取的危险。
特别注意,不要为了偷懒而在办公,网吧,旅店等公用计算机上保存帐号密码。在私人电脑上保存密码,也必须选择支持主密码加密的软件[3],最好不要保存帐 号密码。因为保存的密码不一定加密保存,很容易用软件工具[5][6]破解获取。
参考:
[1] Security Simplified: The Base+Suffix Method for Memorable Strong Passwords; Thursday, February 19th, 2009; http://luxsci.com/blog/security-simplified-the-basesuffix-method-for-memorable-strong-passwords.html
[2] Cracking Passwords in the Cloud: Insights on Password Policies; THURSDAY, OCTOBER 29, 2009; http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
[3] Master Password Encryption in FireFox and Thunderbird; Friday, February 27th, 2009; http://luxsci.com/blog/master-password-encryption-in-firefox-and-thunderbird.html
[4] SniffPass v1.12 - Password Monitoring Software; http://www.nirsoft.net/utils/password_sniffer.html
[5] Mail PassView - Recover POP3/IMAP/SMTP email passwords; http://www.nirsoft.net/utils/password_sniffer.html
[6] Dialupass - Recover VPN/RAS/Dialup passwords; http://www.nirsoft.net/utils/dialupass2.html
[7] Five Best Password Managers; http://lifehacker.com/5042616/five-best-password-managers
[8] gmail 安全检查步骤
http://3.ly/fTFs = https://docs.google.com/View?id=d9bwjsf_14fb6wj6hb
http://3.ly/FQFR = https://www.google.com/buzz/104802289453542970648/FV7eH2WUfwX/
http://is.gd/bYh7q = https://www.google.com/buzz/104802289453542970648/FV7eH2WUfwX/
[9] 邮件安全提示 http://3.ly/rM9S = https://www.google.com/buzz/104802289453542970648/3p9eht8utUB/
[10] virushuo: 匿名网民的安全指南 https://www.google.com/buzz/changsimeng/YCJVddVvqK2/
匿名网民的安全指南(1) https://www.google.com/buzz/100347718699709543053/hu1cGmnAnGx/
匿名网民的安全指南(2) https://www.google.com/buzz/100347718699709543053/1kGBjJ1Jw5c/
[11] wxzbb: 平民技术,检查你的Google账户安全! https://www.google.com/buzz/104802289453542970648/fkFF6amKXDk/
[12] 你以为电信,联通他们就不偷你的密码么? https://www.google.com/buzz/changsimeng/4NG96qtRbH5/
[13] 防范 邮件钓鱼欺诈窃取密码 https://www.google.com/buzz/changsimeng/8V51WoevTpo/
[14] Internet 安全建议 https://www.google.com/buzz/104802289453542970648/Fk7AsXcV2Ji/
http://3.ly/fTFs = https://docs.google.com/View?id=d9bwjsf_14fb6wj6hb
http://3.ly/FQFR = https://www.google.com/buzz/104802289453542970648/FV7eH2WUfwX/
http://is.gd/bYh7q = https://www.google.com/buzz/104802289453542970648/FV7eH2WUfwX/
[9] 邮件安全提示 http://3.ly/rM9S = https://www.google.com/buzz/104802289453542970648/3p9eht8utUB/
[10] virushuo: 匿名网民的安全指南 https://www.google.com/buzz/changsimeng/YCJVddVvqK2/
匿名网民的安全指南(1) https://www.google.com/buzz/100347718699709543053/hu1cGmnAnGx/
匿名网民的安全指南(2) https://www.google.com/buzz/100347718699709543053/1kGBjJ1Jw5c/
[11] wxzbb: 平民技术,检查你的Google账户安全! https://www.google.com/buzz/104802289453542970648/fkFF6amKXDk/
[12] 你以为电信,联通他们就不偷你的密码么? https://www.google.com/buzz/changsimeng/4NG96qtRbH5/
[13] 防范 邮件钓鱼欺诈窃取密码 https://www.google.com/buzz/changsimeng/8V51WoevTpo/
[14] Internet 安全建议 https://www.google.com/buzz/104802289453542970648/Fk7AsXcV2Ji/
[15] 编程随想:如何防止黑客入侵
https://www.google.com/buzz/changsimeng/Wk4kHpyx6Yz/
http://blog.csdn.net/program_think/archive/2010/06/09/5657262.aspx
https://www.google.com/buzz/changsimeng/HsT1eTZ7iyg/
http://program-think.blogspot.com/2010/06/howto-prevent-hacker-attack-1.html
http://blog.csdn.net/program_think/archive/2010/06/09/5657269.aspx
http://program-think.blogspot.com/2010/06/howto-prevent-hacker-attack-2.html
http://blog.csdn.net/program_think/archive/2010/06/15/5673033.aspx
http://program-think.blogspot.com/2010/06/howto-prevent-hacker-attack-3.html
http://blog.csdn.net/program_think/archive/2010/06/20/5682094.aspx
https://www.google.com/buzz/program.think/KP2FrN4c4RH/
https://www.google.com/buzz/program.think/66R8cijnwGM/
http://program-think.blogspot.com/2010/08/howto-prevent-hacker-attack-4.html
http://blog.csdn.net/program_think/archive/2010/08/02/5783947.aspx
[16] 编程随想:CNNIC证书的危害及各种清除方法
https://www.google.com/buzz/changsimeng/b5dVmPZSe6p/
http://program-think.blogspot.com/2010/02/remove-cnnic-cert.html
http://blog.csdn.net/program_think/archive/2010/02/16/5309699.aspx
http://program-think.blogspot.com/2010/02/about-cnnic.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!623.entry
http://program-think.blogspot.com/2010/02/introduce-digital-certificate-and-ca.html
http://blog.csdn.net/program_think/archive/2010/02/08/5300184.aspx
[17] 编程随想:如何隐藏你的踪迹,避免跨省追捕
https://www.google.com/buzz/changsimeng/Az9MioJQvsQ/
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-0.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!674.entry
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-1.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!675.entry
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-2.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!678.entry
http://program-think.blogspot.com/2010/05/howto-cover-your-tracks-3.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!689.entry
[18] 编程随想:信息安全之社会工程学; https://www.google.com/buzz/104802289453542970648/N88CucN5YsT/
http://program-think.blogspot.com/2009/05/social-engineering-0-overview.html
http://blog.csdn.net/program_think/archive/2009/05/05/4152922.aspx
http://program-think.blogspot.com/2009/05/social-engineering-1-gather-information.html
http://blog.csdn.net/program_think/archive/2009/05/06/4156187.aspx
http://program-think.blogspot.com/2009/05/social-engineering-2-pretend.html
http://blog.csdn.net/program_think/archive/2009/05/09/4164242.aspx
http://program-think.blogspot.com/2009/05/social-engineering-3-influence.html
http://blog.csdn.net/program_think/archive/2009/05/19/4202545.aspx
http://program-think.blogspot.com/2009/06/social-engineering-4-example.html
http://blog.csdn.net/program_think/archive/2009/06/07/4250266.aspx
http://program-think.blogspot.com/2009/07/social-engineering-5-defend.html
http://blog.csdn.net/program_think/archive/2009/07/08/4329731.aspx
Reply all
Reply to author
Forward
0 new messages