计算机密码安全建议 不要保存密码自动登录

日期: 2009年12月15日 下午8:52
主题: 计算机密码安全建议 不要保存密码自动登录
收件人: wlaq-gg@googlegroups.com, wlaq@googlegroups.com

和密码保护有关的安全建议:

重要的帐号,不要设置保存密码自动登录。文[5]中指出了这种方式的不安全性,但他推测的理由是不准确的。这是因为存贮的密码很容易从软件界面和不够安全 的本地存贮数据中截取,比如采用网站[6]提供的软件工具。

浏览器中,Outlook Express, Office Outlook, gtalk, msn, skype 等都不要自动登录。如果要让浏览器记住密码,Firefox 可以设置一个主密码来加密保存的网站登录密码。
Thunderbird 如果设置自动登录,必须设置主密码 (master password) 将密码加密保存。

特别需要安全的场合,可以点击 开始 / 运行,输入 osk.exe 运行 On-Screen Keyboard 屏幕键盘, 用鼠标点击屏幕键盘输入密码,并在输入过程中不断移动键盘窗口,使得鼠标动作更复杂。可以密码的部分键用鼠标输入,部分用键盘输入。这样只有监视窗口消息 和鼠标屏幕动作的木马,才能截取你的密码。

注意,osk.exe 屏幕键盘不能起到防止窃听窗口消息的木马窃取密码的作用,因为输入的信息依然要通过 windows 事件消息发送到接收密码的软件中。但它可以使得窃取密码更困难一点。

但是第2条中,keepass 所采用的内嵌屏幕键盘插件的方式,可以起到防止窃听键盘输入内容的作用。因为,输入的信息不经过 windows  事件消息,而是在软件内部传递的。

微软的两位研究员[1]提出了一种简便的防止密码被木马窃取的诀窍。方法是,在网页或者软件登录界面中输入密码的时候,每输入一个密码中的字符,就在其他 非密码输入位置点击一下鼠标,输入一些杂乱字符,然后再回到密码输入框输入下一个字符,如此重复直到输完密码。这样即便在有监视键盘和鼠标动作的不安全的 网吧计算机上,窃听键盘按键的木马也很难截取密码。

这种方法的原理是,木马用于截取密码的方法,一般无法知道你输入的字符在一个软件内部是如何分配的。当然,也有专门针对这一诀窍的破解方法,但是因为过于 复杂而目前的截取键盘的木马都不能支持,要每次按键都截取屏幕,配合截取的鼠标操作,来完成密码的截取。这样工作量太大了。

但是请注意,上述方法只能防范对键盘输入的软件窃听。如果一个软件保存和传递密码的方式不安全,那么即便采用这种方式,密码依然可能被网络窃听或者密码文 件解密手段窃取。

如果你能都英文,可以读一下这些防范木马的参考文献[1]-[4]。

如果有很多密码难记,可以用 keepass 密码备忘软件加密保存。用于加密保存密码备忘录的主密码可以用 OSK 屏幕键盘方式输入,更安全。keepass 也带屏幕键盘插件。

参考:

[1] Cormac Herley and Dinei Florencio: How To Login From an Internet Caf´e Without Worrying About Keyloggers; Microsoft Research, Redmond; http://cups.cs.cmu.edu/soups/2006/posters/herley-poster_abstract.pdf
[2] Nikolay Grebennikov: Keyloggers: How they work and how to detect them; Mar 29 2007; http://www.viruslist.com/en/analysis?pubid=204791931
[3] http://en.wikipedia.org/wiki/Keystroke_logging
[4] Yury Mashevsky; Alexey Monastyrsky; Konstantin Sapronov: Rootkits and how to combat them; Virus Analyst, Kaspersky Lab; Aug 19 2005; http://www.viruslist.com/en/analysis?pubid=168740859
[5] MSN和Gtalk的本地密码存在严重漏洞; 2008-9-21 12:23:9; http://www.williamlong.info/archives/1506.html
[6] http://www.google.com/search?hl=en&safe=off&rlz=1C1CHMG_enNL301NL303&q=+site:www.nirsoft.net+password+stored+reveal&ei=FKKBSujFGofw-Qb23LSyCg&sa=X&oi=manybox&resnum=2&ct=all-results

Asterisk Logger: Reveal/recover password behind asterisks (***)
If you want to reveal a password stored behind asterisks in a Pocket PC device, you may try the PocketAsterisk and RemotePocketAsterisk utilities. …
www.nirsoft.net/utils/astlog.html

PasswordFox – Reveal the user names/passwords stored in Firefox
PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. …
www.nirsoft.net/utils/passwordfox.html

WirelessKeyView: Recover lost WEP/WPA key/password stored by …
Network Password Recovery – Recover Windows XP/Vista network passwords … Be aware that this utility can only reveal the network keys stored by Windows …
www.nirsoft.net/utils/wireless_key.html

AsterWin IE v1.03 – Reveal asterisk passwords in Internet Explorer
This utility reveals the passwords stored behind the asterisks in the web pages … Explorer windows, and the password will be revealed after a few seconds. …
www.nirsoft.net/utils/asterie.html

Netscapass v2.03
This utility can reveal the stored mail password (POP3 server password) for Netscape Communicator 4.x, Netscape 6.x and Netscape 7. It can also reveal the …
www.nirsoft.net/utils/netscapass.html

IE PassView – Internet Explorer Password Viewer
Opera Password Recovery Master: Shareware tool that recover Opera Passwords. PasswordFox – Reveal the passwords stored in Firefox. …
www.nirsoft.net/utils/internet_explorer_password.html

Protected Storage PassView v1.63: Recover Protected Storage passwords
The passwords are revealed by reading the information from the Protected … strings stored in Internet Explorer, not only the AutoComplete password, …
www.nirsoft.net/utils/pspv.html

AsterWin v1.20
Asterwin also cannot reveal the passwords in Internet Explorer Web pages, Because they are stored in different way than in other applications. if you want …
www.nirsoft.net/utils/asterwin.html

NirSoft – freeware utilities: password recovery, system utilities …
Network Password Recovery – Freeware utility that recovers the network passwords stored by Windows XP (Credentials file). Asterisk Logger – Reveal the …
www.nirsoft.net/

3.01 PADGen 3.0.1.35 http://www.padgen.org Portable Application …
This utility can reveal the passwords stored behind the asterisks in standard password text-boxes. Many applications, like
CuteFTP, VNC, IncrediMail, …
www.nirsoft.net/pad/astlog.xml

Dialupass: Recover lost dialup/RAS/VPN password in Windows XP/Vista/9x
Although the password is constantly stored in your computer, … the Dialupass utility can reveal the Dial-Up passwords only if you are logged on with …
www.nirsoft.net/utils/dialupass2.html

2.01 PADGen 2.0.1.22 http://www.padgen.org Portable Application …
The passwords are revealed by reading the information from the Protected … that reveals the passwords stored on your computer by Internet Explorer, …
www.nirsoft.net/pad/pspv.xml

Win9x PassView v1.1
Description. The Win9x PassView utility reveals the passwords stored on your computer by Windows 95/98 operating system. It can reveal 4 types of passwords: …
www.nirsoft.net/utils/win9xpv.html

Revealing the passwords behind asterisks in Internet Explorer
The following source code reveals the passwords stored behind the asterisks … If IsPasswordBox(objElement) Then 'We found a password-box, so we reveal it …
www.nirsoft.net/vb/reveal_ie_asterisk_passwords.html

Freeware Tools and System Utilities for Windows
This utility reveals the passwords stored on your computer by Internet Explorer, Outlook Express and POP3 accounts of MS-Outlook. The passwords are revealed …
www.nirsoft.net/utils/index.html

Mail PassView: Password recovery for Outlook, Outlook Express …
Added support for Gmail passwords stored by Google Desktop. 23/06/2006, 1.36. Fixed bug: Mail PassView didn't show Netscape/Thunderbird accounts when using …
www.nirsoft.net/utils/mailpv.html

Password Recovery Tools for Windows
By default, PasswordFox displays the passwords stored in your current … It can recover 2 of passwords: password stored for the current logged-on user …
www.nirsoft.net/password_recovery_tools.html

Visual Basic Code Snippets and Utilities
This small utility reveals the passwords stored behind the asterisks in the web pages of Internet Explorer 5.0 and above. …
www.nirsoft.net/vb/

喜欢这篇文章吗?欢迎发空信给 lihlii+subscribe@googlegroups.com 订阅《童言无忌》邮件组,欢迎发空信给 jrzl+subscribe@googlegroups.com 订阅《今日知录》邮件组。

Post a comment or leave a trackback: Trackback URL.

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

You are commenting using your WordPress.com account. Log Out /  更改 )

Google photo

You are commenting using your Google account. Log Out /  更改 )

Twitter picture

You are commenting using your Twitter account. Log Out /  更改 )

Facebook photo

You are commenting using your Facebook account. Log Out /  更改 )

Connecting to %s