一个好的密码策略是，选一个你容易记住的长句子，比如诗句，选每个字拼音首字母，作为密码。

你很容易记而别人很难猜到。

用这个长密码作为主密码前缀。

对每个不同帐号，再选一个短而容易记的，和网站相关的密码后缀。

每个帐号的密码由同样的主密码前缀和不同的短密码后缀构成[1]。

这样，即便一个帐号的密码失窃[4]，窃贼也无法容易地知道你其他帐号的密码。

而你却很容易记住每个帐号的密码。

比如，

选一个长密码前缀：天然一个仙人洞无限风光在险峰 trygxrdwxfgzxf

这串字符看起来无意义，但对你有意义。;)

然后，选择 

gmail 帐号密码后缀为 gm01

hotmail 帐号密码后缀为 h0m

这样，

gmail 密码为 trygxrdwxfgzxfgm01

hotmail 密码为 trygxrdwxfgzxfh0m

这样如果窃取了一个密码，是很难分清哪一部分是前缀，哪一部分是后缀的，也就很难猜测其他帐号密码。

即便窃取了两个帐号的密码，知道了共同的前缀，要猜测第三个帐号的后缀，毕竟还是需要一点时间的。

这样的密码强度[2]很高，但记忆负担却并不很大。

为了防止遗忘密码，学会用 keepass [7]保存网络密码，这样不会因为记不住而都用同样密码而带来密码失窃导致全部帐号被窃取的危险。

特别注意，不要为了偷懒而在办公，网吧，旅店等公用计算机上保存帐号密码。在私人电脑上保存密码，也必须选择支持主密码加密的软件[3]，最好不要保存帐 号密码。因为保存的密码不一定加密保存，很容易用软件工具[5][6]破解获取。

参考：

[1] Security Simplified: The Base+Suffix Method for Memorable Strong Passwords; Thursday, February 19th, 2009;  http://luxsci.com/blog/security-simplified-the-basesuffix-method-for-memorable-strong-passwords.html
[2] Cracking Passwords in the Cloud: Insights on Password Policies; THURSDAY, OCTOBER 29, 2009; http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
[3] Master Password Encryption in FireFox and Thunderbird; Friday, February 27th, 2009; http://luxsci.com/blog/master-password-encryption-in-firefox-and-thunderbird.html
[4] SniffPass v1.12 - Password Monitoring Software; http://www.nirsoft.net/utils/password_sniffer.html
[5] Mail PassView - Recover POP3/IMAP/SMTP email passwords; http://www.nirsoft.net/utils/password_sniffer.html
[6] Dialupass - Recover VPN/RAS/Dialup passwords; http://www.nirsoft.net/utils/dialupass2.html
[7] Five Best Password Managers; http://lifehacker.com/5042616/five-best-password-managers

[16] 编程随想：CNNIC证书的危害及各种清除方法
https://www.google.com/buzz/changsimeng/b5dVmPZSe6p/
http://program-think.blogspot.com/2010/02/remove-cnnic-cert.html
http://blog.csdn.net/program_think/archive/2010/02/16/5309699.aspx
http://program-think.blogspot.com/2010/02/about-cnnic.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!623.entry
http://program-think.blogspot.com/2010/02/introduce-digital-certificate-and-ca.html
http://blog.csdn.net/program_think/archive/2010/02/08/5300184.aspx

[17] 编程随想：如何隐藏你的踪迹，避免跨省追捕
https://www.google.com/buzz/changsimeng/Az9MioJQvsQ/
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-0.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!674.entry
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-1.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!675.entry
http://program-think.blogspot.com/2010/04/howto-cover-your-tracks-2.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!678.entry
http://program-think.blogspot.com/2010/05/howto-cover-your-tracks-3.html
http://program-think.spaces.live.com/blog/cns!F5B0090663FEEADA!689.entry

[18] 编程随想：信息安全之社会工程学; https://www.google.com/buzz/104802289453542970648/N88CucN5YsT/
http://program-think.blogspot.com/2009/05/social-engineering-0-overview.html 
http://blog.csdn.net/program_think/archive/2009/05/05/4152922.aspx
http://program-think.blogspot.com/2009/05/social-engineering-1-gather-information.html
http://blog.csdn.net/program_think/archive/2009/05/06/4156187.aspx
http://program-think.blogspot.com/2009/05/social-engineering-2-pretend.html
http://blog.csdn.net/program_think/archive/2009/05/09/4164242.aspx
http://program-think.blogspot.com/2009/05/social-engineering-3-influence.html
http://blog.csdn.net/program_think/archive/2009/05/19/4202545.aspx
http://program-think.blogspot.com/2009/06/social-engineering-4-example.html
http://blog.csdn.net/program_think/archive/2009/06/07/4250266.aspx
http://program-think.blogspot.com/2009/07/social-engineering-5-defend.html
http://blog.csdn.net/program_think/archive/2009/07/08/4329731.aspx

Permalink | Leave a comment  »