From Wikipedia, the free encyclopedia
This article has multiple issues. Please help
or discuss these issues on the . ()
This article is written like a
that states the Wikipedia editor's particular feelings about a topic, rather than the opinions of experts. Please
by rewriting it in an . (April 2014)
This article needs additional citations for . Please help
by . Unsourced material may be challenged and removed. (June 2013) ()
A password manager is a
that helps a user store and organize . Password managers usually store passwords , requiring the user to create a master password; a single, ideally very
password which grants the user access to their entire password database. Some password managers store passwords on the user's computer (called offline password managers), whereas others store data in the provider's
(often called online password managers). However offline password managers also offers data storage in users's own cloud accounts rather than provider's cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as
This section does not
any . Please help improve this section by . Unsourced material may be challenged and . (January 2015) ()
The advantage of password-based access controls is that they are easily incorporated in most software using APIs available in many software products, they require no extensive computer/server modifications, and that users are already familiar with the use of passwords. While passwords can be fairly secure, the weakness is how users choose and manage them, by using:
simple passwords - short in length, that use words found in dictionaries, or don't mix in different character types (numbers, punctuation, upper/lower case), or are otherwise easily guessable
passwords others can find - on sticky notes on monitors, in a notepad by the computer, in a document on the computer, whiteboard reminders, smart device storage in clear text, etc.
the same password - using the same password for multiple sites, never changing account passwords, etc.
shared passwords - users telling others passwords, sending unencrypted emails with password information, contractors using same password for all their accounts, etc.
administrative account logins where limited logins would suffice, or
administrators who allow users with the same role to use the same password.
It is typical to make at least one of these mistakes. This makes it very easy for , ,
and cyber thieves to break into individual accounts, corporations of all sizes, government agencies, institutions, etc. It is protecting against these vulnerabilities that makes password managers so important.
Password managers come in six often-combined flavors:
Web-based - Online password manager where passwords are viewed and copied to/from a provider's website.
Cloud-based - Online password manager where credentials are stored on a service provider's servers on the Internet, but handled by password management software running on the client's machine.
Offline - An independent software which keeps the passwords locally on the device being used.
Desktop - desktop/laptop software for storing passwords on a computer hard drive. It could be offline or cloud based.
Portable - portable software storing passwords and program on a mobile device, such as a , , or as a
on a USB memory stick.
Token - credentials are protected using a , thus typically offering
by combining
something the user has such as a mobile application that generates rolling a Token similar to virtual smart card,
something the user knows (PIN or password), and/or
something the user is like
such as a fingerprint, hand, retina, or face scanner.
Stateless - Passwords are generated on the fly from a master passphrase and a tag using a .
Password managers can also be used as a defense against
and . Unlike human beings, a password manager program can also incorporate an automated login script that first compares the current site's URL to the stored site's URL. If the two don't match then the password manager does not automatically fill in the login fields. This is intended as a safeguard against visual imitations and look-alike websites. With this built-in advantage, the use of a password manager is beneficial even if the user only has a few passwords to remember. While not all password managers can automatically handle the more complex login procedures imposed by many banking websites, many of the newer password managers handle complex passwords, multi-page fill-ins, and multi-factor authentication prior.
Password managers can protect against
malware. When using a multi-factor authentication password manager that automatically fills in logon fields, the user does not have to type any user names or passwords for the keylogger to pick up. While a keylogger may pick up the PIN to authenticate into the smart card token, for example, without the smart card itself (something the user has) the PIN does the attacker no good. However, password managers cannot protect against
attacks, where malware on the user's device performs operations (e.g. on a banking website) while the user is logged in while hiding the malicious activity from the user.
Desktop password managers and browser based password man however, they often do not provide any protection for stored passwords.[] If the passwords are stored in an unencrypted fashion, it is still generally possible to obtain the passwords given local access to the machine.
Some password managers use a user-selected master password or
to form the
used to encrypt the protected passwords. The security of this approach depends on the strength of the chosen password (which might be guessed or brute-forced), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password renders all of the protected passwords vulnerable.
As with any system which involves the user entering a password, the master password may also be attacked and discovered using
or . Some password managers attempt to use
to reduce this risk - though this again is vulnerable to key loggers which take screenshots as data is entered. This risk can be mitigated with the use of a
Some password managers include a . Generated passwords may be guessable if the password manager uses a weak
instead of a cryptographically secure one.[]
A strong password manager will include a limited number of false authentication entries allowed before the password manager is locked down and requires IT services to re-activate. This is the best way to protect against the brute-force attack.
Password managers that do not prevent swapping their memory to hard drive make it possible to extract unencrypted passwords from the computer’s hard drive.[] Turning off swap can prevent this risk.
Web-based password managers, which run inside the browser of the user, are particularly fraught with pitfalls. A detailed study using several password managers uncovered the following possible flaws inside web-based password managers:
Authorization flaws: Another possible problem is mistaking
with . The researcher found that several web-based password managers had, at one point in time, such flaws. These issues were in particular present in password managers which allowed users to share credentials with other users.
Bookmarklet flaws: Web-based password managers commonly rely on
for signing in users. However, if improperly implemented, a malicious website can abuse this to steal a user's password. The main cause of such vulnerabilities is that the
environment of a malicious website cannot be trusted.
User Interface flaws: Some password managers will ask the user to log in through an . This is unfortunately insecure. It trains the user to fill in her password while the URL displayed by the browser is not the one of the password manager. A phisher can abuse this by creating a fake iframe and capturing the user's credentials. Instead of using an iframe, a more secure approach is to open a new tab where users can login to the password manager.
Web flaws: Classic web vulnerabilities can also be present in web-based password managers. In particular,
vulnerabilities may be exploited by hackers to obtain a user's password.
This section does not
any . Please help improve this section by . Unsourced material may be challenged and . (January 2015) ()
An online password manager is a website that securely stores login details. They are a web-based version of more conventional desktop-based password manager.
The advantages of online password managers over desktop-based versions are portability (they can generally be used on any computer with a
and a network connection, without having to install software), and a reduced risk of losing passwords through theft from or damage to a single PC - also the same risk is present for the server that is used to store the users passwords on. In both cases this risk can be prevented by ensuring secure
are taken.[]
The major disadvantages of online password managers are the requirements that the user trusts the hosting site and a keylogger is not on the computer they are using. With servers and the cloud being a focus of cyber attacks, how one authenticates into the online service and that the passwords stored there are encrypted with a user defined key are just as important. Again, users tend to circumvent security for convenience. Another important factor is whether one or two way encryption is used.[]
There are mixed solutions. Some online password management systems distribute their . It can be checked and installed separately.[]
The use of a web-based password manager is an alternative to
techniques, such as
or Microsoft's
(previously Microsoft Wallet, Microsoft Passport, .NET Passport, Microsoft Passport Network, and Windows Live ID) scheme, or may serve as a stop-gap measure pending adoption of a better method.[]
This section does not
any . Please help improve this section by . Unsourced material may be challenged and . (January 2015) ()
Security tokens like smart cards or secure USB flash devices are seen by security experts as the best way to authenticate users, since many require multi-factor authentication. The data stored in the token is usually encrypted to prevent probing and unauthorized reading of the data. Some token systems still require software loaded on the PC along with hardware (smart card reader) and drivers to properly read and decode the data. Some of the other advantages include: tokens can also be either contact or , stand-alone client based or tied into active directory. These tokens can be combined with RF ID badges for building access and use other security protocols like
(PKI) instead of passwords to establish the trust. These tokens can be thought of as the key to secure the virtual front door.
The disadvantages include the different costs of ownership. Some implementations require back end server modifications, extensive training, server-to-token synchronization, outside certificate authorities and expensive tokens. Others may be less expensive to implement and have a lower cost of ownership, but may not support , ,
and . It is not that one token solution is better than another, but rather which is right for the environment, risk and budget.
Various high profile websites have attempted to block password managers, often backing down when publicly challenged. Reasons cited have included protecting against , protecting against , blocking
of simply denying compatibility. The
client security software from
features explicit options to block password managers.
Such blocking has been criticized by
professionals as making users less secure and that justifications are bogus. The typical blocking implementation involves setting autocomplete='off' on the relevant password . Consequently, this option is now ignored from
34, and in
from about 7.0.2.
A 2014 paper from researcher at the
found that whilst browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the http version of https-saved passwords. Most managers did not protect against
and exposed additional passwords where
had been used between multiple devices.
Rubenking, Neil J. (11 March 2011). . . Retrieved on 10 August 2014.
Parker, Jason (11 April 2014). . . Updated 7 August 2014. Retrieved 10 Aug 2014.
Entrust IdentityGuard Mobile Smart Credential
Li, Z He, W akhawe, D Song, Dawn.
(PDF). 2014 2014.
Adida, B Barth, A Jackson, Collin.
(PDF). 2009 2014.
Mic, Wright (16 July 2015).
Reeve, Tom (15 July 2015).
Cox, Joseph (26 July 2015).
Hunt, Troy (15 May 2014).
(PDF) 2015.
Sharwood, Simon (9 April 2014).
: Hidden categories:Log+in+using+OpenID是什么意思_百度知道
Log+in+using+OpenID是什么意思
提问者采纳
T 不按规定使用明火；不按规定填写航海日志；2，消费者需要使用相关资料登录, customers log in using their ssn or not complying with the provisions in filling in the logbook. 使用该插件时，和网上银行一样Log+in+using+OpenID开放ID登录使用例句, as they would do online:1.Not complying with the provisions in using open fire
来自团队：
其他类似问题
为您推荐：
openid的相关知识
其他3条回答
使用开发ID登录
Log in using open ID使用公开用户名登陆Log in在网络上联接主机（服务器）的操作; 例句Listing4 shows how to authorize the connection and log in to your new server.清单4展示了如何授权这个连接并登录您的新服务器。
　　Log+in+using+OpenID：　　开放ID登录使用。　　Log in：在网络上联接主机（服务器）的操作; 　　例句Listing4 shows how to authorize the connection and log in to your new server.清单4展示了如何授权这个连接并登录您的新服务器。
下载知道APP
随时随地咨询
出门在外也不愁社会化登录常见问题 - 解决方案 - 灯鹭
一、如何使用灯鹭社会化登录工具？
灯鹭提供两种不同的产品解决方案：自主建站和开源模板。
⊙ 自主建站的开发者，在编写代码前请阅读与以便您更好的进行开发。
灯鹭同时提供了开发者和供开发者进行参考。
开发者技术交流群：,此群只提供接口使用相关问题咨询。
⊙ 灯鹭为开源模版使用者制作了插件安装包供站长安装使用。
现在已经开发的插件有：
disucz交流群：9294209,此群只提供bug反馈，不接受产品安装咨询。
ECshop交流群：,此群只提供bug反馈，不接受产品安装咨询。
PHPWIND交流群：,此群只提供bug反馈，不接受产品安装咨询。
天天团购交流群：,此群只提供bug反馈，不接受产品安装咨询。
最土团购交流群：,此群只提供bug反馈，不接受产品安装咨询。
Dedecms交流群：,此群只提供bug反馈，不接受产品安装咨询。
二、如何进行开发测试和安装测试？
灯鹭所有的服务都是在服务器端进行交互的，所以必须在WEB环境下才能测试，本地环境还无法进行。
灯鹭为所有的开源系统插件提供了，在安装使用前站长可以进行查看。
三、开放平台可以获取到哪些用户数据？开放平台又提供了哪些功能？
不同的开放平台之间会有差异化。
个人主页地址
四、如何安装使用？
所有的操作流程都需要在上进行。请访问灯鹭控制台进行安装使用。
五、安装时都需要特别注意什么？
请出现问题时，先清空浏览器缓存后，再尝试一次
1.灯鹭引擎回调地址（token url）；访问denglu.php或者dl_receiver.php出现404错误。
灯鹭制作的插件安装包中，回调地址文件是denglu.php。并把此文件放置在网站的根目录下。我们必须可以正常访问到http://你网站地址/denglu.php，才可以正常使用。
特别需要注意的是在灯鹭控制台，创建站点时请填写正确的网站地址，以便我们可以正常访问到回调地址文件。如果使用二级域名或者二级目录请填写相应的地址，如或/shop等。
2.社会化媒体回调地址与域名IP绑定。
由于社会化媒体开放平台间的技术差异（oauth2.0、oauth1.0、openid），对于开放平台配置可能会略有不同。
请在开放平台注册配置时，严格安装灯鹭提供的填写。
特别需要说明的是，使用oauth技术的开放平台都需要填写回调地址，灯鹭提供的唯一回调地址为http://open.denglu.cc/receiver。举例：如谷歌等。
有些开放平台无法填写灯鹭的回调地址，需要进行转发至灯鹭的回调地址。灯鹭制作的插件安装包中dl_receiver.php为转发文件。此类开放平台填写成为转发文件地址即可。举例：如MSN、QQ、开心等。
有些开放平台提供了域名绑定和IP绑定功能。一般为选填项，如果有需求请在填写根域名时填写denglu.cc并用半角英文逗号与你的域名隔开。需要IP绑定的用户，请同时绑定灯鹭的IP地址61.232.10.91。举例：如人人、百度等。
回调地址错误代码对照表
回调地址错误列表
error:invalid_requesterror_description:Invalid redirect_uri.
回调地址非法，请使用已注册的回调地址(21006)！
授予第三方应用对您帐号的访问权限抱歉，您当前的请求未能执行，请重新申请或 联系@微博开放平台将下面的错误信息发送给TA。oauth_problem: token_expired
Response body is incorrect. Can't extract token and secret from this: 'Consumer is not registered:
Oops, there was a problemThe provided value for the input parameter 'redirect_uri' is not valid. The domain of the provided redirect URI must match the domain of the redirect URI registered for this app.
回调地址不合法错误码：112
错误信息：Invalid redirect uri错误码：#1105
3、社会化媒体(开放平台）APP KEY 填写错误？
不同社会化媒体APP KEY 填写错误时会提示不同错误代码，当出现如下图所示错误代码，请检查您的APP KEY是否填写正确。
出错信息：A consumer_key_refused
出错信息：Internal Server Error
error:invalid_request，error_description:Invalid client_id: ?(K?API Key
出错信息：consumer not found
出错信息：10001
出错信息：token_rejected
Response body is incorrect. Can't extract a token from this: 'Invalid consumer'
Response body is incorrect. Can't extract token and secret from this: 'OAuth Verification Failed: The consumer_key "默认使用测试App Key" token "" combination does not exist or is not enabled.'
Response body is incorrect. Can't extract token and secret from this: 'Consumer is not registered: 你所填写的Key'
调试错误，请回到请求来源地，重新发起请求。错误代码 ILLEGAL_PARTNER
Oops, there was a problemThe client does not exist. If you are the client application developer, configure a new application through the application management site at https://manage./.
{"error_code":"401","request":"\/oauth2\/authorize","error":"40111:Error: Oauth consumer_key\u4e0d\u"}
Response body is incorrect. Can't extract token and secret from this: 'oauth_problem=consumer_key_unknown'
您访问的应用不存在错误码：104
Response body is incorrect. Can't extract token and secret from this: 'oauth_problem=token_rejected'
错误信息：unknown client id错误码：#1000
4.社会化媒体申请与接口审核。
一些社会化媒体开放平台申请后，必须审核通过后才可以正常使用。请根据进行申请与配置，并提交审核。
使用人人网和腾讯QQ同步动态功能的用户需要单独申请feed接口才可以正常使用。人人feed.publishFeed接口，腾讯add_share接口申请指南。
5.配置完成后提示此应用未注册。
对于灯鹭制作的插件安装包，全部需要在网站的后台填入你在灯鹭控制台注册时获取到的appid与appkey，尚未填入这些字段的用户，会提示“此应用未注册”。
6.配置完成后提示此域名未绑定。
为了保证使用安全，使用灯鹭引擎的用户必须在灯鹭控制台进行域名绑定才可以在已绑定的域名下使用灯鹭服务。绑定域名时需要注意：我们视一级域名(如)和二级域名(如)为不同的域名，如果你的网站使用多个域名，请全部绑定。
7.PHP环境相关，提示“提示网络连接失败，php相关函数被禁用，fsockopen,curl_init等被禁用。”
使用灯鹭提供的插件安装包，网站的PHP环境必须支持fsockopen,curl_init函数。如果出现上述提示，请联系你的主机提供商开启相关函数。
8.登录供应商账号，不显示供应商logo 或者小图标，或如果出现乱码
对于安装好灯鹭插件，使用供应商账号登录，登录过程出现不显示供应商的logo 或者小图标，请用户到网站后台，更新灯鹭插件的“媒体信息”和网站缓存。
9.使用百度账号登录，跳转页面显示错误提示：错误信息：Invalid redirect uri 错误码：#1105
申请百度应用时，请正确填写回调地址。回调地址填写不正确，账号登录时，会弹出以上错误提示。
10.使用社会化媒体账号登录，跳转页面显示：不支持此供应商
使用社会化媒体账号登录，进入供应商的授权页面，点击一次授权按钮即可。多次点击按钮或者刷新页面会提示：不支持此供应商
11.导航栏处的小图标，刚开始显示，后来不再显示。
登录open控制台，站点配置的自定义图标，点击“还原”。
12.不能登录，提示curl_init函数错误
运营商调整他们的出口IP，导致DNS解析错误，长时间不能回应请求，从而导致出错。
13.网站后台 更新“媒体信息”仍然不显示供应商账号。
由于服务器时差造成的，修改服务器日期后，一切问题解决。
14.出现时间戳错误的信息
客户的服务器时间跟灯鹭服务器时间不一致，请调整服务器时间：调整Denglu.php 文件里的time()函数，如time()+734
15.其他问题
如果仔细检查后出现了非上述问题，请在或者BUG反馈QQ群进行反馈。
如果您对我们的产品有什么好的意见，或是觉得我们产品有什么不足。欢迎您给我们提出您的宝贵意见
开发遇到问题
如果您在安装与开发中遇到难以解决的问题，请访问开发者指南，阅读详细文档