Thank you very much for your support on the IT security series. Last time, we have discussed how to perform the checking of the patch update status for multiple computer devices. And today, I would like to introduce you a more practical and basic stuff, which is the account password configuration.
大家好,很感謝大家對於資訊保安系列的支持。上一次我們談過了如何檢查操作系統上補丁的更新狀況。今天,我打算跟大家分享一個更實用,也更基本的題目,就是密碼的設定。
Don’t look down on this topic! According to Microsoft Password Guidance Report in year 2016, there are over 10 million username/password pair attacks every day. So, it becomes critical to control user’s behavior by a proper password setting.
不要小看了這個題目,根據微軟在2016年推出的一份密碼指引報告,在世界上每天大概有超過一千萬次數的密碼攻擊。所以,密碼的設定在資訊保安方面是一個重大的議題。
For those who have an account on those online exchanges must experienced that those exchanges always ask you to provide a more complex and long enough password. Yes, as we store most of our money on it, it is so reasonable to have a complex password, in order to protect our account.
對於有在各種交易所開帳戶的朋友,你們都一定經歷過它們要求你設定一個夠長而且夠復雜的密碼吧。而我們大概都很容易接受,因為畢竟我們的資產都在上面,肯定要一個好的密碼來保護它吧!
However, I bet most of the people will just ignore the password configuration for their personal computer. Let me ask you some question: When is last time you change your personal computer password? Have you ever used “password” as your password? I think maybe you have really forgotten about it.
但是,我相信很多的朋友都忽略了他們個人電腦的密碼問題。容我問你兩個問題,你上一次轉換密碼是什麼時候的事?你有沒有用過 “password?”去做你的密碼? 我想或許你真的記不起了。
In addition, most of us will share our desktop with our family. And I bet for privacy reason, you may suggest everyone will have their own account in the computer. Or even in small company, maybe you will have a computer station for different staff with different account Yes, you may aware of a complex password was need, but, you can’t ensure your mum or your colleague will have the same mind as you. Maybe she will just simply use “123456” as her account password, which is something you could not really control. How can you ensure that they have selected a proper password?
再者,我相信大部份的人都會跟家人共用電腦,為了私隠的問題,可能你們都會建立個人的帳戶。又比如說小型公司,往往都會使用不同的帳戶來讓員工共用一台電腦。對的,可能你對密碼的概念十分好,知道要用各種復雜的組成。但你如何確保你的媽媽或你的同事都有這個想法呢?可能她們正在用 “123456”來當密碼呢!你可以如何保護你的電腦系統呢?
So, now, we should think about the preventive control! You should consider to restrict the password requirement for all user accounts. We can implement a password policy to control the user’s password configuration and password change period.
所以,我們應該考慮預防控制的手段。我們可以先限制用戶們密碼設定的要求。我們可以在視窗中的密碼則中控制用戶密碼設定的要求。
Let me give you a clear step on how to check it and how to configure it. I will use my Windows 7 OS as the sample for the below screen capture.
就讓我一步步的向大家介紹到底該如何檢查的現在的密碼設定,跟如何去更改它。我會用我的Windows 7版本作為例子。
First, go to Control Panel, then choose administrative tool:
首先去控制台,然後去管理工具:
Then select local security policy:
再去本機安全性原則
Finally you can see your current password policy setting:
然後就就能看到你現在的密碼原則的設定
For most of the policy, I thought I don’t need to explain, but I would like to explain some more on the below 5 items:
對於大部份的原則,我相信不太需要我解釋,但我想要解釋一下下面這些。
Enforce Password History: sets how frequently old passwords can be reused
強行執行密碼歷程記錄(Enforce Password History): 決定可以重複使用舊密碼之前必須與使用者帳戶相關聯的唯一新密碼數目
Store Password Using Reversible Encryption: provides support for applications that use protocols that require the user's password for authentication.
使用可還原的加密來存放密碼( Store Password Using Reversible Encryption): 使用要求使用者的密碼來進行驗證的通訊協定的應用程式提供支援。 儲存加密的密碼可回復的方式表示,就可以解密加密的密碼。
Account lockout duration: determines the number of minutes that a locked Account lockout duration-out account remains locked out before automatically becoming unlocked
帳戶鎖定期間(Account lockout duration): 決定鎖定的帳戶之前維持鎖定出自動解除的分鐘數
Account lockout threshold: determines the number of failed sign-in attempts that will cause a user account to be locked.
帳戶鎖定閾值(Account lockout threshold): 決定登入嘗試失敗會造成鎖定的使用者帳戶的數目
Reset account lockout counter after: determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0
重設帳戶鎖定計數器的時間(Reset account lockout counter after): 決定從使用者無法登入,才能登入失敗的嘗試計數器會重設為 0 時必須經過的分鐘數。
So, what kind of configuration should you adopted for the password policy? There is actually no a model answer, it mainly depends on what is the risk level of your computer system. However, we can still find some best practice online.
所以,到底我們該採用那種密碼的原則來設定我們的密碼呢? 這其實沒有一定的答案,主要是看你的電腦系統的風險而定。但幸好,我們永遠能在網上找到一些最佳實踐的建議。
According to latest recommendation from Microsoft, the best practice was as follow:
跟據微軟最新的密碼原則建議,最佳實踐的方案如下:
| Policy | Security Setting |
|---|---|
| Enforce password history | 24 |
| Maximum password age | 30 - 90 days (depends on your risk level of the system) |
| Minimum password age | 2 days |
| Minimum password length | 8 |
| Minimum password age | 2 days |
| Password must meet complexity requirements | Enabled |
| Store password using reversible encryption | Disabled |
| Account lockout duration | 30 minutes |
| Account lockout threshold | above 4 and below 10 |
| Reset account lockout counter after | Depends on Resource |
因為上面比較難理解的都有中文的解釋了,所以這裏就不贅敘了。
Do you think it is simple enough? Yes, definitely. And maybe because of it, this had been ignored by most of the people and which became a serious security risk all over the world. So, start from today, do it at home and your office. Properly configure your password policy, and prevent you mum or staff using “123456” as their account password!
你是不是覺得這太簡單了? 對,這真的很簡單。但或許就是因為太簡單了,所以它往往會被用戶怱略。所以,從今天開始,在家中跟辦公室都好好的設定密碼吧,不要再讓媽媽用 “123456”去作密碼了。
Thanks for reading, I hope you enjoy it!
And please follow me and see my other post if you like it: @victorier
感謝你的閱讀,希望你會喜歡!
如果你覺得不錯的話請你追蹤我,也可以看我其他的文章: @victorier
Sometimes there are too many password to remember.
I use keepass to keep most password which is a free software.
http://keepass.info/
Thanks for your suggestion, will definitely have a look on it!
Upboat is a friendly half-human, half-robot which hopes to help promote the better posts of Steemit by trying to ensure they get the recognition they deserve.
UPBOAT and is likely to summon our robot friends to share some robot love with you to show affection.@UPBOAT looks for numerous signals before deciding on who to
I'VE BEEN AT SEA FOR 4 DAYS AND HAVE GIVEN 245 UPBOATS! PLEASE HELP @UPBOAT STAY AFLOAT ON THE STEEMIAN SEAS BY DELEGATING SPARE SP OR PATCH WATER LEAKS BY UPBOATING.
This post has received a 3.13 % upvote from @drotto thanks to: @upboat.
yes! password is increasing important as more payment transact in the web.
But I have to admit that I am a bit lazy to have different pw on different account.
lol, you have to do so, if not, there would be a single point of failure for all your account XD!
Help me with your upvote I need your help is of great importance! Https://steemit.com/news/@gr3g0r/mi-salario-de-la-semana-venezuela-and-my-salary-of-the-week-venezuela#comments Follow me! @gr3g0r
我會用pass phrase做password.易記不易破!
是的,記密碼還是需要工具!
对于大多数人太复杂了容易忘
还是指纹识别合适
或者1password之类的
主要是想要提醒用戶們注重電腦的密碼設定!
其实还不如提醒大家用小本子记下来哈哈
首先還是要避免人們用123456來做密碼啦XD
very usefull tutorials
Thanks for it!