我们十年 (Us in 10 Years)

We have many obsolete things in this world. Things we should get rid of and never use again. Things we should find alternatives for, and then adopt worldwide. Like toilet paper or plastic straws (switching to paper straws was a recent trend where I come from and a ban in other places).

在这个世界上，我们有许多过时的事物。 我们应该摆脱的东西，再也不会使用。 我们应该寻找替代品，然后在全球范围内采用。 就像卫生纸或塑料吸管(改用纸吸管是我最近来的趋势， 在其他地方禁止使用 )。

Let’s talk about our passwords.

让我们谈谈我们的密码。

It makes no sense to have passwords anymore. The whole concept shouldn’t be existing by now.

再也没有密码了。 整个概念现在不应该存在。

Think about it. Every single website you encounter requires you to register with a unique password, and it better be a strong one — a combination of letters, numbers, and random signs.

想一想。 您遇到的每一个网站都要求您使用唯一的密码进行注册，并且最好是一个坚固的密码-由字母，数字和随机符号组成。

Remember when you still had one password for everything you needed?Now you need to keep track of 50+ different passwords, all in one place.

还记得什么时候您只有一个密码来满足所有需求吗？现在您需要将50多个不同的密码集中在一个地方。

Some time long ago (very long ago) you were still keeping one or two passwords for your favorite websites in your head, but now you barely sign out to even need to remember anything.

很久以前(很久以前)，您仍然在脑海中保留着自己喜欢的网站的一两个密码，但是现在您几乎无需注销就可以记住任何东西。

And if you accidentally sign yourself out, you just need to hit a few buttons and sign in right back from your mailbox.

而且，如果您不小心退出了自己，则只需按几个按钮，然后从邮箱中重新登录即可。

Passwords are part of what makes our world complicated

密码是使我们的世界变得复杂的一部分

您的计算机是虚假的朋友 (Your Computer Is a False Friend)

I get it. We need personal keys to access personal things.

我知道了。 我们需要个人钥匙才能访问个人物品。

But in recent years it came to the point where every single website you want to view requires you to have some sort of personal identification and sign up. I’d say, maybe, 10 years or so? Why?

但是最近几年来， 您要查看的每个网站都要求您具有某种个人身份并注册。 我想说大概10年左右？ 为什么？

I am guilty of it myself with the projects I work on. In today’s world, it feels like the most basic thing is to make users sign up for your website. But the truth is, it’s not always a necessity to build a membership system.

我自己对自己从事的项目感到内。 在当今世界，感觉最基本的就是让用户注册您的网站。 但事实是，建立会员制并不总是必要的。

所有鸡蛋放在一个篮子里 (All the Eggs in One Basket)

So someone invented the password manager, which keeps track of all your passwords and even helps you generate new ones. All without even looking at what the password is, and in less than a second.

因此，有人发明了密码管理器，它可以跟踪您的所有密码，甚至可以帮助您生成新密码。 所有这些都无需查看密码，而且只需不到一秒钟。

Also, giants such as Google and Facebook, which have your identifying information anyway, have come up with developer kits allowing web developers to include a verification process, which lets users sign in/up to a website without even think about what they are doing.

此外，无论如何，拥有Google和Facebook之类的巨头都拥有您的识别信息，他们提供了开发人员工具包，允许Web开发人员包括验证过程，该过程使用户无需登录网站就可以登录/注册网站。

It just makes it so easy and effortless. Not just that the access process is easier, it also adds personalization and social functionality to the user experience. Although if you’d ask, some will tell you they would rather avoid implementing it. Rakesh Soni points out security issues found in social logins:

它使它变得如此容易和轻松。 不仅访问过程更加简单，而且还为用户体验增加了个性化和社交功能。 尽管您愿意，但有些人会告诉您他们宁愿避免实施它。 Rakesh Soni指出了社交登录中发现的安全性问题：

Sometimes I find myself wanting to check out a website but then passing on it because I see I need to type in all my information to do anything.

有时，我发现自己想查看一个网站，但随后又继续浏览，因为我发现我需要输入所有信息才能执行任何操作。

Oftentimes it is also necessary to confirm your email address before it lets you in, whereas when a Facebook login form welcomes me I barely hesitate to hit the blue button.

通常，还需要在允许您进入之前确认您的电子邮件地址，而当Facebook登录表单欢迎我时，我几乎会毫不犹豫地点击蓝色按钮。

However, your personal computer and phone are the keys to everything you own online. When someone opens your computer when you’re not around, they can access everything you’re logged into. The same goes for your phone.

但是， 您的个人计算机和电话是您在线拥有的所有内容的钥匙。 当您不在时有人打开您的计算机时，他们可以访问您登录的所有内容。 您的手机也是如此。

This is also a problem with password managers. It is essentially a local database (or list if you will) containing all your passwords.

这也是密码管理器的问题。 它实际上是一个包含所有密码的本地数据库(或列出)。

Some password managers (if not all) require a master pass to gain access to the actual database, however, by visiting any of the saved websites in the password manager, the information is being filled automatically and access is granted. That is, of course, assuming you’re not already signed in to that website in the first place.

一些密码管理器(如果不是全部的话)需要掌握通行证才能访问实际的数据库，但是，通过访问密码管理器中保存的任何网站，信息将自动填充并授予访问权限。 当然，这就是假设您尚未登录该网站。

My password manager, for example, does not require me to enter a master pass to view my password vault. I need to set it up actively. It takes me two clicks to access all of my passwords, and it doesn’t ask me for anything.

例如，我的密码管理器不需要我输入主密码即可查看我的密码库。 我需要积极地设置它。 我需要单击两次才能访问我的所有密码，并且没有要求我输入任何内容。

黑客会让您最喜欢的网站欺骗 (Hackers Will Make Your Favorite Website Squeal)

如何建立登录访问页面101 (How to Build a Login Access Page 101)

Let’s go through the anatomy of a login page real quick.

让我们快速真实地完成一个登录页面的剖析。

For a simple password login to work, a website needs a database of user information, which stores all of their passwords. Whenever you enter your password into the dotted input box, the phrase you entered is being checked against the database.

为了使简单的密码登录有效，网站需要一个用户信息数据库，该数据库存储其所有密码。 每当您在虚线输入框中输入密码时，都会对照数据库检查您输入的短语。

Given the phrase you entered matches the password in the database, access is granted.

给定您输入的短语与数据库中的密码匹配，将授予访问权限。

However, you wouldn’t want that website to know your password, would you?

但是，您不希望该网站知道您的密码 ，对吗？

Please welcome to the stage: the MD5 algorithm.

欢迎来到舞台： MD5算法。

What is the MD5 algorithm?MD5 is a hashing algorithm. Simply put, hashing is the process of taking a phrase and turning it into an irreversible “scrambled egg”.

什么是MD5算法？ MD5是一种哈希算法。 简而言之，散列是将一个短语变成一个不可逆的“炒鸡蛋”的过程。

So, MD5 takes an input (a password in our case) and returns a hashed output, which looks something like this:

因此，MD5接受输入(在本例中为密码)并返回哈希输出，如下所示：

ddd0531e2e73d1c82703746eaf3bd320

ddd0531e2e73d1c82703746eaf3bd320

So whenever you sign up for a website, your password is being hashed before it is saved in the database. Then, whenever you sign in, your entered phrase is being hashed and checked against what the website has in the database.

因此，每当您注册一个网站时，您的密码都会被散列，然后再保存到数据库中。 然后，无论何时登录，都会对输入的短语进行哈希处理，并对照网站中数据库中的内容进行检查。

That way the website you’re using doesn’t have your actual password.

这样，您正在使用的网站就没有您的实际密码。

The problem with MD5?It’s not secure enough.

MD5的问题？ 它不够安全。

Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to “brute force” the output of these algorithms, in order to determine the original input.

诸如MD5，SHA1和SHA256之类的哈希算法被设计为非常快速和高效。 借助现代技术和计算机设备，“蛮力”这些算法的输出以确定原始输入已变得微不足道。

Because of how quickly a modern computer can “reverse” these hashing algorithms, many security professionals strongly suggest against their use for password hashing.

由于现代计算机能够快速“逆转”这些哈希算法，因此许多安全专业人员强烈建议不要将其用于密码哈希。

source

资源

Anyone who can type Google can “decrypt” it with the help of databases listing already known hashes. Check it yourself.

可以输入Google的任何人都可以借助列出已知哈希的数据库来“解密”它。 自己检查一下。

So we also have SHA-1, SHA-2, SHA-3, bcrypt, Argon2, and others. Each with its pros and cons when it comes to password protection. Some are more secure than others. Some are exiled from use. But no matter how good an algorithm is in keeping hackers away now, in the future it just won’t be good enough.

因此，我们也有SHA-1，SHA-2，SHA-3，bcrypt，Argon2等。 每个人在密码保护方面各有利弊。 有些比其他的更安全。 有些被放逐使用。 但无论算法有多好，是保持远离黑客现在 ，将来它只是将不够好。

什么时候成为黑客 (What a Time to Be a Hacker)

Whenever a website you use gets hacked, your password can be leaked and distributed. Supposedly, some websites don’t hash your password at all.

每当您使用的网站被黑客入侵时，您的密码都可能被泄露和分发。 据说有些网站根本不对您的密码进行哈希处理 。

Troy Hunt’s project alone has listed 9,760,722,439 leaked accounts from 454 websites, including 555,278,657 passwords, according to the project’s website (as of June 2020).

根据该项目的网站(截至2020年6月)，仅Troy Hunt的项目就列出了454个网站的9,760,722,439个泄漏帐户，包括555,278,657个密码。

You’ll be amazed at how many of your favorite websites were hacked over the years. Chances are you’ll find yourself in at least one list, if not more.

这些年来，您最喜欢的网站被黑客入侵的数量会让您感到惊讶。 您可能会发现自己至少出现在一个列表中，甚至更多。

With services getting hacked every day, it’s just a matter of time.Nintendo is the most recent one.

每天都有服务被黑客入侵，这只是时间问题，任天堂是最近的一个。

If you haven’t found your leaked password yet, you need to understand — It’s not if, it’s when.

如果尚未找到泄露的密码，则需要了解—不是，应该在何时。

他们来得到你 (They Are Coming to Get You)

It will happen sooner or later. And you won’t enjoy it when it happens.Trust me.

迟早会发生。 当它发生时，您将不会喜欢它。相信我。

Last year I found my password hanging around with other 1,600+ user passwords in a Udemy leaked list on Scribd, by a simple Google search of my username. It was visible from its Google meta description.

去年，通过对用户名的简单Google搜索，我发现Scribd上的Udemy泄露列表中的密码与其他1600多个用户密码在一起。 从其Google meta描述中可见。

I emailed support and cited their terms of use regarding exposing private account information. It took them only 7 minutes to remove the document, which is great response time.

我通过电子邮件发送了支持，并列举了他们有关公开私人帐户信息的使用条款。 他们只花了7分钟即可删除文档，这是一个很好的响应时间。

However, it took Google a couple of weeks to remove the document’s metadata from its index.

但是 ，Google花了几周的时间从索引中删除了文档的元数据。

拯救世界的英雄 (A Hero to Save the Day)

Unlike MD5, other hashing algorithms cannot be cracked so easily with the help of Google, because hashing algorithms are irreversible.

与MD5不同，其他哈希算法在Google的帮助下无法轻易破解，因为哈希算法是不可逆的。

So they can’t be decrypted, but they are still brute-forceable. Although some hashing algorithms are good at keeping hackers from trying to brute force in the first place, brute-forcing is still a thing.

因此它们不能被解密，但是它们仍然是蛮力的。 尽管某些散列算法擅长阻止黑客一开始就尝试强行使用暴力，但强制使用暴力仍然是一回事。

输入两因素身份验证(2FA) (Enter the Two-Factor Authentication (2FA))

A couple of ways to protect against brute-forcing are out there. One way, for example, is to limit the number of trials one can enter a password before they are blocked. But depending on the implementation, it could be subject to failure.

有两种防止暴力破解的方法。 例如，一种方法是限制在密码被阻止之前可以输入密码的尝试次数。 但是根据实现的不同，它可能会失败。

Our hero is quite straight forward and demands only 2 things:

我们的英雄很直截了当，只要求两件事：

1. Something you know

   你知道的

2. Something you have

   你有东西

By simply adding one more step before you can access the other side, the website provides you with increased security, which isn’t based only on your password. Our guy simply wants to make sure you know your password and have your phone — because these are the two things he trusts.

通过在访问另一端之前简单地增加一个步骤，该网站可为您提供更高的安全性，而不仅仅是基于您的密码。 我们的家伙只是想确保您知道密码并拥有电话-因为这是他信任的两件事。

Google Authenticator, for example, allows you to have a timed 6-digit access code on your phone which is valid for 30 seconds and then changes. A website using it watches the changing code to provide secure access. Websites can feature an authenticator instead of an SMS code you receive on your phone.

例如， Google身份验证器可让您在手机上设置6位数的定时访问密码，该密码有效期为30秒，然后可以进行更改。 使用它的网站监视更改的代码以提供安全的访问。 网站可以使用身份验证器代替您在手机上收到的SMS代码。

This is about security.

这是关于安全性。

An alternative would be what’s called a magic link and is relatively new. You just write your email address, click a button, and receive a new mail with an authorization link that logs you in immediately. No password, just email.

另一种选择是所谓的魔术链接 ，它相对较新。 您只需输入您的电子邮件地址，单击一个按钮，然后接收带有授权链接的新邮件即可立即登录。 没有密码，只有电子邮件。

This is about speed.

这是关于速度。

But what happens when someone sits in front of your computer and has your phone?

但是，当有人坐在您的计算机前并拥有您的手机时会发生什么？

你应该得到更好 (You Deserve Much Better)

I could list the many other alternatives we have for accessing a private account. But I’d rather present you with something else.

我可以列出访问私人帐户的许多其他选择。 但是我宁愿给您其他东西。

Image a world without passwords.

没有密码的世界。

A world where you are the password.

您是密码的世界。

This is what great behind the idea of face recognition, voice recognition, and fingerprint-based logins. You are the key. These, too, have their issues, most of which are physical faults.

这是面部识别，语音识别和基于指纹的登录概念的重要意义。 您是关键。 这些也有其问题，其中大多数是物理故障。

But they just might be an integral part of our future.

但是它们可能只是我们未来不可或缺的一部分。

It is unacceptable. Why would we need so many passwords? Some may say diversification. Risk management. When one database is hacked, all the others are still safe.

这是不可接受的。 为什么我们需要那么多密码？ 有人会说多元化。 风险管理。 当一个数据库被黑客入侵时，其他所有数据库仍然安全。

But come on, couldn’t there be an alternative for physical verification in the future, which throws the use of countless passwords out the window?

但是，来吧，将来是否还有其他物理验证方法可以将无数密码的使用扔到窗外？

Why do we need to throw digital waste everywhere we go?

为什么我们到处都需要浪费数字资源？

不要相信任何人 (Do Not Trust Anyone You Know)

It’s on you to be responsible with your passwords and devices you leave laying around everywhere. It’s on you to log out when you’re somewhere public. It’s on you to trust the people around you, even the one you consider the closest.

您要负责随处可见的密码和设备。 在公共场所时，登出是您的责任。 信任周围的人，甚至是您认为最亲近的人，是您的责任。

I think I need to remind you that:

我想提醒您：

The second they have a reason to, they will use whatever they can lay their hands on and use it against you

第二个原因是，他们将竭尽所能，对您不利

This is just how the world works.People use any opportunity and privilege they have.

这就是世界的运作方式。人们利用自己拥有的任何机会和特权。

您是唯一需要的钥匙 (You Are the Only Key You Need)

I’d imagine most of us do the minimum amount of effort to protect our keys. I’d even say we don’t care enough. I say we deserve something much simpler in our lives.

我以为我们大多数人会尽力保护密钥。 我什至会说我们不够在意。 我说我们应该在生活中简化一些事情。

If we want to have a solution that doesn’t involve physical recognition, we could still come up with a system that doesn’t require us to remember more than just a few passphrases.

如果我们想要一个不涉及物理识别的解决方案，我们仍然可以提出一个系统，该系统不需要我们记住很多密码短语。

Which system? I wish I knew.

哪个系统？ 我希望我知道。

我们需要做出改变 (We Need to Make a Change)

Multi-Factor Authentication is the answer for now. And I like the magic link approach, which is swift. But when it comes to security, depending only on your mailbox you’re probably already signed-in to is not the best of ideas.

多重身份验证是目前的答案。 我喜欢魔术链接方法，这种方法很快。 但是，在安全性方面，仅依赖于您的邮箱就可能不是最好的主意。

We are approaching a new world every day, and if something is expendable, we should consider questioning it and replacing it with something better.

我们每天都在走向一个新世界，如果有什么可以消耗的东西，我们应该考虑质疑它，并用更好的东西代替它。

Finding a new solution and eliminating the use of more passwords than we can count with our fingers can be a part of our future.

寻找一个新的解决方案，并避免使用超出我们手指数的密码，这将是我们未来的一部分。

Maybe you could be that person who leads the next big change?

也许您可能是领导下一次重大变革的那个人？