如何使用密码管理器提升安全性

The vast majority of people are in the habit of reusing the same handful of fixed passwords over and over again across dozens of different websites. Yet the moment any one of those sites suffers a data breach, attackers immediately take that set of leaked credentials and go try them everywhere else, one site at a time — a technique known in the industry as credential stuffing. The very existence of a password manager is exactly what can fundamentally and completely eliminate this thorny risk.

为什么重复使用的密码很危险

普通人要应对 100 多个账号,却只能记住寥寥几个密码——于是他们重复使用密码,或依赖“password1”“password2”这类脆弱的变体。一旦任何一个网站被攻破(每年发生数千次),机器人就会在几小时内把那对邮箱与密码的组合在银行、邮箱和社交媒体上逐一重放。这就是撞库攻击,而为每个账号设置一个唯一的密码是唯一真正的防御。(关于究竟是什么让密码变强、以及零知识存储如何运作,详见密码安全的 Learn 文章。)

四步配置密码管理器

  • 1Step one: choose and install a suitable password manager. PrivaPass runs entirely within your local browser, requires no account registration at any point, and works right out of the box. Of course, other excellent options to choose from also include Bitwarden (which is open-source and offers a free tier), 1Password, or simply your browser's own built-in password manager — each with its own merits.
  • 2Step two: import or create password entries. You can start simply by saving each password as you log in to a site from now on. Most password managers also thoughtfully provide a convenient feature to bulk-import the passwords already saved in your browser. It is recommended that you generate brand-new random strong passwords first, one by one, for your most important and critical core accounts.
  • 3审查并更换你那些脆弱和重复使用的密码,从那些能重置其他一切的账号开始——首先是你的主邮箱,然后是银行和理财。在 haveibeenpwned.com 上检查你的邮箱地址,并更换任何出现在已知泄露中的密码。
  • 4在所有关键账号上启用双重身份验证(2FA)——尤其是邮箱、银行,以及任何能用来重置其他密码的账号。即使你的主密码不知怎么被泄露了,2FA 也能阻止未经授权的访问;相比短信,更建议使用身份验证器应用或通行密钥(passkey)。

密码安全专业技巧

Use a passphrase for your master password — that is, a sequence made up of 4 to 5 mutually random, entirely unrelated words. It is far more secure and reliable than a password that merely looks complex but is actually short, and it is also far easier for you yourself to remember. Please keep firmly in mind: never store your master password in any digital, electronic form anywhere at all. The safest approach is to write it down neatly on a piece of paper and then keep it safely in some secure, offline, physical place. Get into the good habit of regularly checking sites such as Have I Been Pwned (the address is haveibeenpwned.com) to see whether your email address has unfortunately turned up on the list of any known data breach events. The moment a service you are using announces publicly that it has suffered a data breach, proactively change the relevant password as soon as you can — never passively wait around until the very moment they force you to reset it before you take action.

完全在浏览器中安全地管理你的密码

Try PrivaPass
为何重要 — 隐私风险密码安全:构建您的数字防线