担心网站密码泄露的 - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>PhotoGear - 摄影器材

担心网站密码泄露的

担心网站密码泄露的# PhotoGear - 摄影器材

a*82011-12-28 08:12

1 楼

Windows用keepass.Mac/Linux用keepassX. 可以用来管理所有网站密码。我现在基本上
网站密码都是用keepass自动随机生成的。需要用的时候copy/paste。不记。keepass的
本地数据库是用AES加密, 也可以用multi-factor, 就是口令+SD卡。

x*c2011-12-28 08:12

2 楼

出外咋办。

【在 a****8 的大作中提到】

: Windows用keepass.Mac/Linux用keepassX. 可以用来管理所有网站密码。我现在基本上
: 网站密码都是用keepass自动随机生成的。需要用的时候copy/paste。不记。keepass的
: 本地数据库是用AES加密, 也可以用multi-factor, 就是口令+SD卡。

a*82011-12-28 08:12

3 楼

数据库可以放dropbox上。keepass有iphone/andriod客户端，不过不免费。

【在 x****c 的大作中提到】

: 出外咋办。

c*s2011-12-28 08:12

4 楼

ft...只要是网上的东西我都不相信

a*82011-12-28 08:12

5 楼

你放在网上的是AES加密过的。

【在 c******s 的大作中提到】

: ft...只要是网上的东西我都不相信

r*l2011-12-28 08:12

6 楼

So? If you use a password to decrypt it, the password can be brute-forced.
If you need password + key, then you need to carry key file with you all the
time. It's still not convenient.

【在 a****8 的大作中提到】

: 你放在网上的是AES加密过的。

a*82011-12-28 08:12

7 楼

Give me a break. When you have a good long password, it will take ages to
brute-force AES. If a hacker has to resort to brute-force, that's as good as
saying the algorithm is unbreakable.

the

【在 r*****l 的大作中提到】

: So? If you use a password to decrypt it, the password can be brute-forced.
: If you need password + key, then you need to carry key file with you all the
: time. It's still not convenient.

r*l2011-12-28 08:12

8 楼

If it's really long. However, most people are just comfortable with 8-char
password or less. That's just too short. Brute-force attack does not try to
break the algorithm, but try to guess the password. Two different concept.
You mentioned "a good long password". Please give me some real numbers. How
long is long enough? And if those "good long" passwords can be memorized?
If not, you still need to put is some where, like online or carry it everyday. That's my point.

as

【在 a****8 的大作中提到】

: Give me a break. When you have a good long password, it will take ages to
: brute-force AES. If a hacker has to resort to brute-force, that's as good as
: saying the algorithm is unbreakable.
:
: the

d*02011-12-28 08:12

9 楼

dropbox密码丢了不就全完了

【在 a****8 的大作中提到】

: 数据库可以放dropbox上。keepass有iphone/andriod客户端，不过不免费。

a*82011-12-28 08:12

10 楼

没用过dropbox?local 有copy的

【在 d*****0 的大作中提到】

: dropbox密码丢了不就全完了

d*02011-12-28 08:12

11 楼

我是说你的密码都被泄露了

【在 a****8 的大作中提到】

: 没用过dropbox?local 有copy的

a*82011-12-28 08:12

12 楼

Here are a few:
It has appeared in public and so should be avoided by everyone.
Long long time ago there were a temple, a young monk and an old one.
three dot one four one five nine two six is NOT really a good pass phrase.

comfortable with 8-char
to
How
easily?
where, like online or carry it everyday. You either store them in clear
text (totally unsafe) or have to protect it with another password. Then how
do you save the password that protects your "good long password"?

【在 r*****l 的大作中提到】

: If it's really long. However, most people are just comfortable with 8-char
: password or less. That's just too short. Brute-force attack does not try to
: break the algorithm, but try to guess the password. Two different concept.
: You mentioned "a good long password". Please give me some real numbers. How
: long is long enough? And if those "good long" passwords can be memorized?
: If not, you still need to put is some where, like online or carry it everyday. That's my point.
:
: as

a*82011-12-28 08:12

13 楼

dropbox 密码泄露了，你的password database还是encrypted的啊。

【在 d*****0 的大作中提到】

: 我是说你的密码都被泄露了

a*82011-12-28 08:12

14 楼

那些个又用数字又用乱七八糟符号大小写都有但是不够长的密码，都是人记难，机器破
解容易的。要用人记容易，机器破解难的pass phrase.

r*l2011-12-28 08:12

15 楼

You still don't understand the differences between theory and usability.
Imaging every time you access your bank account, you need to type 68
characters ...
Good luck typing :)

how

【在 a****8 的大作中提到】

: Here are a few:
: It has appeared in public and so should be avoided by everyone.
: Long long time ago there were a temple, a young monk and an old one.
: three dot one four one five nine two six is NOT really a good pass phrase.
:
: comfortable with 8-char
: to
: How
: easily?
: where, like online or carry it everyday. You either store them in clear

f*d2011-12-28 08:12

16 楼

Who are you? Who am I? Who would waste so much time cracking our password?

【在 r*****l 的大作中提到】

: You still don't understand the differences between theory and usability.
: Imaging every time you access your bank account, you need to type 68
: characters ...
: Good luck typing :)
:
: how

a*82011-12-28 08:12

17 楼

你没看懂我讲的是什么。用一个长的passphrase保护你的key pass数据库，银行的密码
由key pass生成。你自己不用记，用的时候copy and paste就行了。每个网站的密码都
不一样。这样有一个的被攻陷了（你不能确定网站怎么存你的密码，明文存再长也没用
），别的也不受影响。
用pass phrase不只是理论上的，基本上是安全界的共识。几十个字符敲熟了很快的。
没有真的那么可怕，尤其是因为好多常用词，可以盲打。

【在 r*****l 的大作中提到】

: You still don't understand the differences between theory and usability.
: Imaging every time you access your bank account, you need to type 68
: characters ...
: Good luck typing :)
:
: how

B*G2011-12-28 08:12

18 楼

还是太麻烦了，这次改密码，本来以为改十来个就差不多了，结果自己列了个表，发现
想起来的常用网站居然有超过三十个，要是每个网站密码都不一样，每次都需要查，我
肯定疯掉了。

【在 a****8 的大作中提到】

: 你没看懂我讲的是什么。用一个长的passphrase保护你的key pass数据库，银行的密码
: 由key pass生成。你自己不用记，用的时候copy and paste就行了。每个网站的密码都
: 不一样。这样有一个的被攻陷了（你不能确定网站怎么存你的密码，明文存再长也没用
: ），别的也不受影响。
: 用pass phrase不只是理论上的，基本上是安全界的共识。几十个字符敲熟了很快的。
: 没有真的那么可怕，尤其是因为好多常用词，可以盲打。

r*l2011-12-28 08:12

19 楼

I am talking about typing the passphrase. Every time you open your key pass
DB, you need to type it.
For rare use, like to log in to secure prod box's root account, typing is
not a big issue. That does not happen frequently.
If you are talking about password for your online account:
1, If it's too short, then easy to brute-force.
2, If it's long enough, then you are still at mercy of the website's
implementation. If they store clear text and/or use u-nsecure hash like MD5,
then no matter how long the password is, it's not secure.

【在 a****8 的大作中提到】

r*l2011-12-28 08:12

20 楼

You such a small fish that hackers have no interest in your accounts.
I am too. That's why I use 8-character password for my online accounts w/o
worrying about someone breaking into it.

【在 f*******d 的大作中提到】

: Who are you? Who am I? Who would waste so much time cracking our password?

f*d2011-12-28 08:12

21 楼

pass phrase和password是有本质区别的，只要private key没给别人偷走，几乎是不可
能破解的，因为所有的密码都是实时生成的，而且很快就失效了。

【在 r*****l 的大作中提到】

: You such a small fish that hackers have no interest in your accounts.
: I am too. That's why I use 8-character password for my online accounts w/o
: worrying about someone breaking into it.

a*82011-12-28 08:12

22 楼

你还真以为hacker是把主要精力放在找出百万富翁的帐号上啊？

【在 r*****l 的大作中提到】

: You such a small fish that hackers have no interest in your accounts.
: I am too. That's why I use 8-character password for my online accounts w/o
: worrying about someone breaking into it.

r*l2011-12-28 08:12

23 楼

There is a consequence related to account being hacked. As long as the
situation can be under control, not a big deal.
As lease I don't worry. I don't have top secret to hide.
Don't you know that banks have a complete line of products to protect the
consumers, like Adaptive Auth, Identify Verification, OOB, etc.? Online
account being hacked does not mean that you lose everything.

【在 a****8 的大作中提到】

: 你还真以为hacker是把主要精力放在找出百万富翁的帐号上啊？

r*l2011-12-28 08:12

24 楼

Do you use real-time generated and short-lived password for your bank
account? "很快就失效了", how soon?
"只要private key没给别人偷走，几乎是不可能破解的": do you know there are
techniques like XSS, XSRF, code/sql injection, etc?. A perfect example is
the recent password breach in China.

【在 f*******d 的大作中提到】

: pass phrase和password是有本质区别的，只要private key没给别人偷走，几乎是不可
: 能破解的，因为所有的密码都是实时生成的，而且很快就失效了。

a*82011-12-28 08:12

25 楼

pass phrase 就是人好记机器难破解的长password. 没什么本质区别。
一般用pass phrase/password都是symmtric encryption. key只有一个，就是password
/pass phrase, 是要保护的对象。
用public/private key的是asymmtric. public key不需要保护，private key需要。这
两个key一般不是password/pass phrase.

【在 r*****l 的大作中提到】

: Do you use real-time generated and short-lived password for your bank
: account? "很快就失效了", how soon?
: "只要private key没给别人偷走，几乎是不可能破解的": do you know there are
: techniques like XSS, XSRF, code/sql injection, etc?. A perfect example is
: the recent password breach in China.

k*t2011-12-28 08:12

26 楼

需要写下来的password 都不是好PASSWORD, 除非你是网管有百多个不同的PASSWORD

r*l2011-12-28 08:12

27 楼

I know what is passphrase. You suggested a long one, I did not say it cannot
protect your secret. I just said that it's unconvenient to use it for
personal account if the passphrase is 68-char long. Since when you need to
log in to your online account, you need to open your keypass and you need to
type your password.
The question I asked "foolsgold" is different. Your reply is not relevant to
that.
Asymmetric algorithm is not related to the whole discussion either.

password

【在 a****8 的大作中提到】

: pass phrase 就是人好记机器难破解的长password. 没什么本质区别。
: 一般用pass phrase/password都是symmtric encryption. key只有一个，就是password
: /pass phrase, 是要保护的对象。
: 用public/private key的是asymmtric. public key不需要保护，private key需要。这
: 两个key一般不是password/pass phrase.