Go homepage(回首页) Upload pictures (上传图片) Write articles (发文字帖)
The author:(作者)delvpublished in(发表于) 2014/1/6 10:12:55 Password for evolution: we are still insecure,
Code evolution: we are still not safe-password, computer codes and-IT information Password for evolution: we are still not safe
Just a decade ago, and AIM securities accounts, including Hotmail accounts, the user's password security is not being well protected. In recent weeks since the personal data of almost every big company broke a security crisis. The New York Times, Facebook, Gmail, and more, have been subjected to hacker attacks. Although the company has taken various measures to protect the large number of sensitive data, including credit card, address, means of communication, and so on. However, since the computer password invented it more than 50 years, security agents and developers always wanted to solve the password security and deter this kind of fatal momentum.
The first generation of computer systems, was in 1961 by the United States Massachusetts Institute of technology through the compatible time-sharing system (CTSS) created, and this became the basis of computer systems we all use today. CTSS system aims to build a platform for independent control of a computer through the same processor. In this way, each developer is a person can control the security of the entire system.
"The key issue is that while we set up more than one terminal, and is used by multiple people, but everyone has their own personal files. "CTSS project leader Fernando Corbato said in an interview with Wired magazine. "Lock password per user respectively seems to be a very simple solution. ”
These first generation of passwords is very simple and easy to save, because at the time the complexity of cyber attacks by hackers and password cracking programs do not exist, but in spite of this system is also very easy to "muddle through". In 1962, the CTSS researcher Dr Allan Scherr will print out all passwords stored in the computer, so more than a week before he was assigned four hours of your time than have more tenure.
"There is a print request offline files through documents submitted with account numbers and names of cardboard punch cards," Scherr wrote in a paper on CTSS documentation. "On a Friday night, I submit a print application password files, and success will not print until Saturday morning, and puts on the outside. If you prefer, can continue to steal the password information to anyone. ”
As operating systems became more complex and used more widely, is becoming more and more a high level on the importance of password security. Well-known hacker Robert Tappan Morris's father, the former United States national security agency Cryptographer Robert Morris of scientists who developed a single encryption functions of the UNIX operating system, was named "hashing". His son, Robert Tappan Morris, and later as a famous hacker, invented the first infamous worm virus is transmitted over the network. Prepared by the old Morris "hashing" the system does not delete the actual password is stored in a computer system, so that information is not likely to be hacked. Old Morris encryption policy seems to have realized the Cambridge universities for development in the 60.
Modern UNIX based development systems, such as Linux in the early days when using a more secure hash algorithm. Today, the "salting" password before the password function will add a unique character and ability to resist protection can be increased attacks.
However, Although hundreds of commonly used hashes passwords remain encrypted, but still can be guessed. In the past few years, hackers have attacked included Linkedln and Gawker's servers, and is more likely to crack the encryption of the password.
"In the Web development process, we will be using the Internet, password is also quite good. "The Wired magazine editor Mat Honan as a victim of hacking in the 2012 wrote. "That's largely because they did not have much data needs to be protected. On a cloud server, very little personal information. With the rise of cloud computing, more and more hackers are headed for the big company systems servers. ”
Now, even from our favorite TV shows on the Web site, you can see our personal information, including credit card numbers, and all the password-protected information. Tragedy of the negligence of the company.
First of all, even now, not all Web sites are still encrypts the password data, some programs still use "clear signs" storing secrets. And this means that their current system compared with decades ago and no progress. If the server was hacked by a hacker, then all thousands of passwords and the need to protect personal data, will be exposed in front of hackers in an instant.
Hackers, usually based on general characteristics and habits of humans to guess passwords. According to 2013, several large-scale survey of password leak, 76% ways of hacking is done by a user account. In the usual case, once the hacker Gets an account password in a personal, and this user's other account password is also very dangerous. Different accounts because most people use the same password or some very high frequency of simple passwords (some common words will inevitably be seen as the password). Known as the "dictionary attack" (Dictionary attacks) way you can periodically try to high-frequency words in the dictionary easily crack simple passwords.
Therefore, most sites require users to use more complex combinations, and password authentication is required. For example, users preferably in lowercase letters, numbers, and special symbols to form a password, and recommends that users use different passwords for different Web sites.
But the average Internet users every day to visit 25 Web site involving the password and remember those at least 14 different passwords respectively is a huge mental burden for average users.
And the reality is, are normal users password not only insecurity, some even have a role there, most users just casual perfunctory set password. A longtime national online identity security strategy Research Senior Adviser Jeremy Grant in a Mashable website interview said: "while the complex passwords of 12-18 with a high degree of security, but from a usability standpoint, most people don't have the patience. Instead, they are only one or two simple password and used everywhere. ”
Even the most secure passwords are vulnerable to a large number of strategic attack, including brute force. When hackers or computer through malicious programs periodically manually all possible combinations of letters, numbers and characters combined, there is also the possibility to crack passwords. In order to access private data and collection of personal data, hackers could also pretend to be users of the target Web site to lure users to fill in their address, phone number and account password for sensitive information. To more easily obtain personal account information for the user, this is known as phishing. Even the most complex password, once the user has entered again in these fake Web sites, can be easily cheated by the user to the password.
And it's no wonder that Bill Gates had announced as early as 2004 by password guarantees secure method has died.
Over the past decade, many researchers and start-up companies are looking for ways to strengthen password security, or replace them altogether. These results include a personal information management tools, such as LastPass, 1Password, centralized encrypted personal data, saved passwords, and how image-based or personal gesture unlock.
Some companies have developed a two-level security for the staff, for example portable security chips as a major security measures. Similarly, Google have disclosed plans recently joined the encryption key on the small USB device, can be used as a startup password of some important equipment tools.
The more advanced approach is very promising, but there hasn't been much response. Bio password like Nymi wristband device still has a lot of flaws. Because biological information is completely irreplaceable, once it has been stolen or copied, the user cannot reset itself or the retina of the heartbeat. While fingerprint scanners are also facing the same problem. "Although the fingerprint difficult to forge, but it's not impossible. So at the time I only used alone until fingerprint features. "Password management application Mitro co-founder Vijay Pandurangan told Mashable.
Recently, the people at Google are starting to enable two-factor authentication mechanism adds an additional layer of password security. And requirements for two separate ways, typically are a combination of password and the text messaging verification code. However, the omnipotent hackers can still be obtained through forms, such as gaming sites prior destination phone number, this would not be difficult for them.
However, two-factor authentication mechanisms are still likely to be the next key to password security. At present, the password is ingrained in the culture of cybersecurity, and you want to allow an entire generation of users who are already familiar with the password completely unreasonable to accept another new system. However, multifactor authentication, obtained through traditional password overlay text messaging verification code or fingerprint passwords, is a very viable solution. In theory, a normal login needs to try more, hackers get all the login information they need to succeed, the more likely it is small.
"The best security solutions, is the superposition of multiple elements hierarchy, it destroyed one and does not affect the entire ecosystem. "Grant said. "If all we do is log in to Gmail account, you can use normal password, and by Google's authentication procedures. However you want to log health records or Bank's website, you may need a second layer of protection, such as calls or texts to verify or biometrics. ”
"Up to now, the Smartphone has really provided us an excellent platform for multiple authentication mechanisms, can overcome past obstacles. ”
Though multiple problems as the most secure method of authentication, but also face a certain degree of sacrifice, such as the user's privacy. And the type of information needed is much more than the extent to which we can accept. "The security system to read a user's location and use habits, even speech habits and DNA are possible. "Honan writes in a Wired magazine article.
But Grant said that any overly complex technology for consumers will be relentlessly refused. Future security technologies should not be bringing complex technology directly to the consumer, and not inconveniencing users. While access to location information are very promising approach. Next, if the device identifies the user log in from a foreign country or locality, it opens an additional level of security. And now some Facebook users have begun to encounter this situation. When the system identifies a user from an unfamiliar IP address after you log in, may have to face a second, or even third-tier security validation.
If we continue to choose personal information stored online, you will be forced to accept the sacrifice some convenience and privacy, at least for now. We have no choice, only to face. Also, don't forget to continue to build on our common password complexity.
密码进化史:我们依然不安全 - 密码,计算机密码 - IT资讯密码进化史:我们依然不安全
仅仅在十年前,包括Hotmail账户和AIM证券账户在内,用户的密码安全都没有受到很好的保护。最近一段时间以来,几乎每一家大公司的个人数据都爆出了安全危机。《纽约时报》、Facebook、Gmail等等,都曾经遭受到过黑客的攻击。虽然这些公司都采取了各种措施来保护这些大量的敏感数据,包括信用卡、地址、通信方式等等。但是,自从计算机密码发明这50多年来,安全人员和开发人员一直都想彻底解决密码安全问题,并且遏止住这有点一发不可收拾的势头。
第一代计算机密码系统,是在1961年由美国麻省理工学院通过兼容分时系统(CTSS)创造,而这也成为了今天我们所有使用的计算机密码系统的基础。CTSS系统旨在通过相同处理器的计算机搭建独立控制平台。这样,每个开发人员一个人就可以控制整个系统的安全。
“关键的问题是,我们虽然设置了多个终端,并且由多个人员使用,但是每个人都有属于自己的私人文件。”CTSS项目负责人Fernando Corbato在接受《连线》杂志采访时表示。“分别锁定每位用户的密码似乎是一个非常简单的解决方案。”
这些第一代的密码是非常简单和容易保存的,因为在当时复杂的黑客网络攻击和密码破解程序还不存在,但是尽管这样这个系统也非常容易被“蒙混过关”。在1962年,CTSS研究员Allan Scherr博士将所有储存在计算机中的密码打印了出来,因此比他之前每周只被分配四小时的时间相比,拥有了更多的使用权。
“有一种离线文件打印请求,通过提交带有账号编号和文件名字的硬纸穿孔卡片,”Scherr在一份关于CTSS记录文档中写到。“在周五的晚上我提交打印密码文件的申请,而要到周六早上才打印成功,并且就摆放在外面。如果愿意的话,任何人都可以继续盗取这些密码信息。”
随着操作系统变得更加复杂,使用范围更加广泛,关于密码安全的重视程度也变得越来越高。著名黑客Robert Tappan Morris的父亲、前美国国家安全局科学家Cryptographer Robert Morris开发出了一种单项加密函数的UNIX操作系统,被命名为“hashing”。而他的儿子Robert Tappan Morris,后来作为著名的黑客,发明了第一个能通过网络传播臭名昭著的蠕虫病毒。而老Morris编写的“hashing”系统并不会将实际密码储存在计算机系统中,这样信息就不容易被黑客攻击。老Morris的加密策略,似乎已经实现了剑桥大学在60年代提出的发展构想。
而现代基于UNIX开发的系统,比如Linux在早期的时候使用了更安全的散列算法。如今,“salting”密码在通过密码功能之前会被添加独特的字符,并且可以增加抵御防护攻击的能力。
然而,虽然数以百计的常用散列密码仍然是加密的,但是依然可以被猜出。在过去的几年中,黑客们曾经攻击了包括Linkedln和Gawker的服务器,并且更容易的破解出了加密的密码。
“在网络发展的过程中,我们都会使用互联网,而密码工作也发着的相当不错。”《连线》杂志编辑Mat Honan作为一位黑客攻击的受害者在2012年写道。“这很大程度上是由于他们并没有多少数据需要保护。因为在云端服务器上,几乎没有多少个人信息。而随着云技术的兴起,越来越多的黑客开始将目光转向了大公司的系统服务器。”
现在,就算从我们最喜欢的电视节目网站上,也能够看到我们的个人资料,包括信用卡号码以及所有受密码保护的资料。而大公司的疏忽则一再让悲剧发生。
首先,即使是在现在,仍然并不是所有网站都对密码数据进行加密,一些程序仍然用“明文标示”的方式储存秘密。而这就意味着他们现在的系统与几十年前相比并没有任何进步。如果一旦被某个黑客入侵了网站的服务器,那么成千上万的密码和所有需要保护的个人数据,都在瞬间就会暴露在黑客面前。
黑客们通常根据人类的通性和习惯去猜测密码。根据针对2013年几次大规模的密码泄露事件的调查报告显示,有76%的网络入侵是通过用户账户的途径。在通常的情况下,一旦黑客获取了某个人的一个账户密码,而这个用户的其它账户密码也非常危险。因为大多数人不同的账户都会使用相同的密码或一些出现频率非常高的简单密码(一些常用词汇会不可避免的被当成密码)。而这种名为“字典攻击”(Dictionary attacks)的方式可以通过周期性尝试字典中的高频词汇,毫不费力的破解这些简单的密码。
因此,大多数的网站都要求用户使用更复杂的组合,并且在密码之后还要求身份验证。例如,用户最好以大小写字母、数字和特殊符号来组成密码,并且建议用户针对不同的网站使用不同的密码。
但是目前互联网用户平均每天要访问25个涉及密码登录的网站,而分别记住这些至少14位的不同密码对于普通用户来说是一个巨大的脑力负担。
而现实状况则是,目前普通用户的密码不仅不安全,有些甚至一定作用都没有,大多数用户只是随意敷衍的设置密码。一位长期从事国家网络身份安全战略研究的高级顾问Jeremy Grant在接受Mashable网站采访时表示:“虽然12位至18位的复杂密码具有高度的安全性,但是从可用性的角度上来说,大多数人并没有这个耐心。相反,他们只有一两个简单的密码,并且到处使用。”
即使是最安全的密码也很容易遭受到大量的策略性攻击,包括暴力破解在内。当黑客或计算机通过恶意程序周期性的手动将所有可能的字母、数字与字符组合进行组合,同样存在破解密码的可能性。而为了访问私人数据和收集个人资料,黑客们还有可能冒充用户的目标网站来引诱用户填写自己的地址、电话号码和账号密码的敏感信息。从而更加轻松的获取用户的个人账户信息,这就是所谓的钓鱼网站。即使是最复杂的密码,一旦用户在这些假网站中输入一遍,都可以轻易的欺骗用户骗到密码。
而这也难怪比尔·盖茨曾经早在2004年就宣布通过密码保证安全的方法已经死亡。
在过去的十年中,不少研究人员和创业公司都在寻找加强密码安全的方法,或者完全替代它们。这些成果包括了诸如LastPass、1Password这样的个人资料管理工具,可以集中将个人数据、加密密码进行保存,并且通过基于图像或个人手势的方式进行解锁。
而一些公司已经为员工制定了二级安全措施,例如随身携带的安全芯片作为主要的安全措施。同样,谷歌公司已经透露最近计划在小型的USB设备上加入加密密匙,可以作为一些重要设备的启动密码工具。
这些更先进的方法是很有前景的,但是并没有引起太多的反响。比如像Nymi腕带这样的生物密码设备仍然具有很大的缺陷。因为生物信息是完全不可替代的,一旦被盗或复制,用户不可能重置自己的视网膜或心跳。而指纹扫描仪也面临同样的问题。“虽然指纹很难伪造,但也不是不可能。因此在银行的时候我只有在独自一人的情况下才使用指纹功能。”密码管理应用Mitro联合创始人之一Vijay Pandurangan告诉Mashable。
最近,像谷歌公司的员工都开始启用了双重认证机制,增加了额外的一层密码安全。并且要求验证两个独立的方式,通常情况下是密码和短信验证码的组合。但是,无所不能的黑客们依然可以通过诸如游戏网站等形式事先获取目标的手机号,这对于他们来说并不困难。
但是,双重认证机制依然可能是未来密码安全的关键。目前,密码在网络安全文化中处于根深蒂固的位置,并且想要让整整一代已经熟悉密码的用户完全接受另一个全新的体系并不合理。但是多重身份验证,通过传统的密码叠加通过短信获取验证码或指纹密码,是一种非常具有可行性变化的解决方案。理论上来说,一次普通的登录需要尝试的内容越多,黑客获取所有登录成功所需要的信息的可能性就越小。
“最好的安全解决方案,就是叠加多重元素的层级,因此破坏掉其中一层的话,并不会影响整个的生态系统。”Grant表示。“如果我们只是登陆到Gmail账户,可以使用普通的密码,并且通过谷歌的身份验证程序。但是想要登录健康记录或银行网站,可能就需要第二层的保护,比如电话短信验证或生物识别技术。”
“到目前为止,智能手机已经为我们真的提供了一个多重验证机制的优秀平台,可以跨越一些过去存在的障碍。”
不过在多重身份验证问题成为最安全的方法时,也要面对一定程度上的牺牲,比如用户的隐私。而这些所需要的信息类型也要远远超过我们所能接受的程度。“安全系统要读取用户的位置和使用习惯,甚至就连说话习惯和DNA都有可能。”Honan在《连线》杂志文章中写到。
但是Grant指出,任何对于消费者来说过于复杂的技术都将被无情的拒绝。未来的安全技术不应该将复杂的技术直接带给消费者,不能为用户带来不便。而获取地理位置等信息则是非常有前途的途径。未来,如果设备识别用户从一个陌生的国家或地点登录,就会开启额外的安全机制。而目前部分Facebook用户已经开始遇到过这种情况。当系统识别用户从陌生的IP地址登录后,就会面对第二甚至第三层的安全措施验证。
如果我们继续选择将个人信息在线保存,那么就要被迫接受牺牲掉某些便利性和隐私,至少目前是这样。我们别无选择,只能面对。同时,别忘了继续加强我们常用密码的复杂程度。
赞