vue空格填充空格填充_什么是凭证填充？（以及如何保护自己）

vue空格填充空格填充

Ink Drop/Shutterstock.com墨滴/Shutterstock.com

A total of 500 million Zoom accounts are for sale on the dark web thanks to “credential stuffing.” It’s a common way for criminals to break into accounts online. Here’s what that term actually means and how you can protect yourself.

由于“凭证填充”，总共有5亿个Zoom帐户在暗网上出售。这是犯罪分子在线入侵帐户的一种常见方法。这是该术语的实际含义，以及如何保护自己。

它从泄露的密码数据库开始 (It Starts With Leaked Password Databases)

Attacks against online services are common. Criminals often exploit security flaws in systems to acquire databases of usernames and passwords. Databases of stolen login credentials are often sold online on the dark web, with criminals paying in Bitcoin for the privilege of accessing the database.

攻击在线服务很常见。犯罪分子经常利用系统中的安全漏洞来获取用户名和密码的数据库。被盗登录凭证的数据库通常在黑暗的网络上在线出售，犯罪分子用比特币支付访问数据库的特权。

Let’s say you had an account on the Avast forum, which was breached back in 2014. That account was breached, and criminals may have your username and password on the Avast forum. Avast contacted you and had you change your forum password, so what’s the problem?

假设您在Avast论坛上拥有一个帐户，该帐户在2014年就被盗用了。该帐户已被破坏，犯罪分子可能会在Avast论坛上使用您的用户名和密码。 Avast与您联系，您是否更改过论坛密码，那么怎么了？

Unfortunately, the problem is that many people reuse the same passwords on different websites. Let’s say your Avast forum login details were “you@example.com” and “AmazingPassword.” If you logged into other websites with the same username (your email address) and password, any criminal who acquires your leaked passwords can gain access to those other accounts.

不幸的是，问题在于许多人在不同的网站上重复使用相同的密码。假设您的Avast论坛登录详细信息为“ you@example.com”和“ AmazingPassword”。如果您使用相同的用户名(您的电子邮件地址)和密码登录其他网站，则任何获取您泄露的密码的犯罪分子都可以访问这些其他帐户。

凭证填充 (Credential Stuffing in Action)

“Credential stuffing” involves using these databases of leaked login details and trying to log in with them on other online services.

“凭据填充”涉及使用这些泄漏了登录详细信息的数据库，并尝试使用它们登录其他在线服务。

Criminals take large databases of leaked username and password combinations—often millions of login credentials—and try to sign in with them on other websites. Some people reuse the same password on multiple websites, so some will match. This can generally be automated with software, quickly trying many login combinations.

犯罪分子会窃取用户名和密码组合泄露的大型数据库(通常有数百万个登录凭据)，并尝试在其他网站上使用它们登录。有些人在多个网站上重复使用相同的密码，因此有些人会匹配。通常可以使用软件自动执行此操作，然后快速尝试许多登录组合。

For something so dangerous that sounds so technical, that’s all it is—trying already leaked credentials on other services and seeing what works. In other words, “hackers” stuff all those login credentials into the login form and see what happens. Some of them are sure to work.

对于听起来如此技术如此危险的事情，仅此而已–尝试在其他服务上泄漏已泄漏的凭据并查看有效的方法。换句话说，“黑客”将所有这些登录凭据填充到登录表单中，然后看看会发生什么。他们中的一些肯定会工作。

This is one of the most common ways that attackers “hack” online accounts these days. In 2018 alone, the content delivery network Akamai logged nearly 30 billion credential-stuffing attacks.

这是当今攻击者“入侵”在线帐户的最常见方法之一。仅在2018年，内容交付网络Akamai就记录了近300亿份凭证填充攻击。

如何保护自己 (How to Protect Yourself)

Ruslan Grumble/Shutterstock.comRuslan Grumble / Shutterstock.com

Protecting yourself from credential stuffing is pretty simple and involves following the same password security practices security experts have been recommending for years. There’s no magic solution—just good password hygiene. Here’s the advice:

保护自己不受凭证填充的困扰非常简单，并且要遵循安全专家多年来建议的相同密码安全性做法。没有神奇的解决方案，只有良好的密码卫生。这是建议：

Avoid Reusing Passwords: Use a unique password for each account you use online. That way, even if your password leaks, it can’t be used to sign in to other websites. Attackers can try to stuff your credentials into other login forms, but they won’t work.

避免重复使用密码：对您在线使用的每个帐户使用唯一的密码。这样，即使您的密码泄漏，也无法用于登录其他网站。攻击者可以尝试将您的凭据填充到其他登录表单中，但它们将无法工作。
Use a Password Manager: Remembering strong unique passwords is a nearly impossible task if you have accounts on quite a few websites, and almost everyone does. We recommend using a password manager like 1Password (paid) or Bitwarden (free and open-source) to remember your passwords for you. It can even generate those strong passwords from scratch.

使用密码管理器：如果您在很多网站上都有帐户，并且几乎每个人都拥有帐户，那么记住强而唯一的密码几乎是不可能的任务。我们建议您使用密码管理器，例如1Password (付费)或Bitwarden (免费和开源)为您记住密码。它甚至可以从头开始生成那些强密码。
Enable Two-Factor Authentication: With two-step authentication, you have to provide something else—like a code generated by an app or sent to you via SMS—each time you log in to a website. Even if an attacker has your username and password, they won’t be able to sign in to your account if they don’t have that code.

启用两层身份验证：每次登录网站时，您必须通过两步身份验证来提供其他功能，例如由应用程序生成或通过SMS发送给您的代码。即使攻击者拥有您的用户名和密码，如果他们没有该密码，他们也将无法登录您的帐户。
Get Leaked Password Notifications: With a service like Have I Been Pwned?, you can get a notification when your credentials appear in a leak.

获取泄漏的密码通知：使用诸如“我是否被伪造”之类的服务？，当您的凭据出现泄漏时，您会收到通知。

服务如何防止凭证填充 (How Services Can Protect Against Credential Stuffing)

While individuals need to take responsibility for securing their accounts, there are many ways for online services to protect against credential-stuffing attacks.

尽管个人需要承担保护其帐户的责任，但是在线服务有很多方法可以防止凭据填充攻击。

Scan Leaked Databases for User Passwords: Facebook and Netflix have scanned leaked databases for passwords, cross-referencing them against login credentials on their own services. If there’s a match, Facebook or Netflix can prompt their own user to change their password. This is a way of beating credential-stuffers to the punch.

扫描泄漏的数据库中的用户密码： Facebook和Netflix 已扫描泄漏的数据库中的密码，并将其与自己服务上的登录凭据进行交叉引用。如果匹配，Facebook或Netflix可以提示自己的用户更改密码。这是击败凭证填充程序的一种方式。
Offer Two-Factor Authentication: Users should be able to enable two-factor authentication to secure their online accounts. Particularly sensitive services can make this mandatory. They can also have a user click a login verification link in an email to confirm the login request.

提供两因素身份验证：用户应该能够启用两因素身份验证以保护其在线帐户。特别敏感的服务可以强制执行此操作。他们还可以让用户单击电子邮件中的登录验证链接以确认登录请求。
Require a CAPTCHA: If a login attempt looks strange, a service can require entering a CAPTCHA code displayed in an image or clicking through another form to verify a human—and not a bot—is attempting to sign in.

要求验证码：如果登录尝试看起来很奇怪，则服务可能需要输入图像中显示的验证码或单击另一种形式以验证是否有人(而非机器人)正在尝试登录。
Limit Repeated Login Attempts: Services should attempt to block bots from attempting a large number of sign-in attempts in a short period of time. Modern sophisticated bots may attempt to sign in from multiple IP addresses at once to disguise their credential-stuffing attempts.

限制重复登录尝试 ：服务应尝试在短时间内阻止漫游器尝试大量登录尝试。现代尖端的机器人可能会尝试一次从多个IP地址登录，以掩盖其凭据填充尝试。

Poor password practices—and, to be fair, poorly secured online systems that are often too easy to compromise—make credential stuffing a serious danger to online account security. It’s no wonder many companies in the tech industry want to build a more secure world without passwords.

不良的密码做法，以及公平的，安全性差的在线系统(通常太容易被盗用)，使得凭据填充严重威胁在线帐户的安全。难怪科技行业的许多公司都希望建立一个没有密码的更安全的世界。

翻译自: https://www.howtogeek.com/668434/what-is-credential-stuffing-and-how-to-protect-yourself/

vue空格填充空格填充