I-GitHub ngoku ibuyisela isinyanzelo sokuqinisekisa i-akhawunti eyandisiweyo kwi-NPM

Darkcrizt

Imizuzu ye4

I-GitHub isandula ukukhupha utshintsho oluthile kwi-NPM ecosystem ngokumalunga neengxaki zokhuseleko eziye zavela kwaye enye yakutshanje kukuba abanye abahlaseli bakwazi ukulawula iphakheji ye-coa ye-NPM kwaye bakhupha ukuhlaziywa 2.0.3, 2.0.4, 2.1.1, 2.1.3 kunye ne-3.1.3. XNUMX, equka utshintsho olubi.

Ngokunxulumene noku kunye nokunyuka kweziganeko zokuhlutha iindawo zokugcina yeeprojekthi ezinkulu kunye nokukhuthaza ikhowudi engalunganga Ngokuthobela iiakhawunti zomphuhlisi, iGitHub yazisa uqinisekiso olwandisiweyo lweakhawunti.

Ngokwahlukileyo, kubagcini kunye nabalawuli beepakethe ze-NPM ezithandwa kakhulu ezingama-500, ukuqinisekiswa kwezinto ezimbini okunyanzelekileyo kuya kwaziswa ekuqaleni konyaka ozayo.

Ukusukela nge-7 kaDisemba 2021 ukuya kuJanuwari 4, 2022, bonke abagcini abanelungelo lokukhulula iipakethe ze-NPM, kodwa abangasebenzisi ungqinisiso lwezinto ezimbini, baya kudluliselwa ukuze basebenzise ungqinisiso olwandisiweyo lweakhawunti. Ukuqinisekiswa okongeziweyo kubandakanya imfuno yokufaka ikhowudi eyodwa ethunyelwa nge-imeyile xa uzama ukungena kwisayithi ye-npmjs.com okanye ukwenza umsebenzi oqinisekisiweyo kusetyenziso lwe-npm.

Ungqinisiso olongeziweyo aluthathi ndawo kodwa luxhasa kuphela uqinisekiso lwezinto ezimbini ekhoyo ngaphambili, efuna ukuqinisekiswa kweephasiwedi zexesha elinye (TOTP). Ukuqinisekiswa okongeziweyo kwe-imeyile akusebenzi xa ukuqinisekiswa kwezinto ezimbini kwenziwe. Ukuqala ngoFebruwari 1, 2022, inkqubo yokufudukela kwisinyanzelo sezinto ezimbini zokuqinisekisa iipakethe ze-NPM eziyi-100 ezithandwa kakhulu ezinokuxhomekeka kakhulu ziya kuqala.

Namhlanje sazisa uqinisekiso lokungena oluphuculweyo kwirejistri ye-npm, kwaye siza kuqalisa ukukhutshwa okuthe kratya kubalondolozi ukuqala nge-7 kaDisemba kuze kuqukunjelwe nge-4 kaJanuwari. Abagcini berejistri ye-Npm abanokufikelela ekupapasheni iipakethe kwaye abanakho ukuqinisekiswa kwezinto ezimbini (2FA) enikwe amandla baya kufumana i-imeyile enegama lokugqitha lexesha elinye (OTP) xa beqinisekisa ngewebhusayithi ye-npmjs.com okanye i-Npm CLI.

Le OTP ithunyelwe nge-imeyile kuya kufuneka inikwe ukongeza kwigama lokugqitha lomsebenzisi phambi kokuba ingqinisiswe. Lo umaleko owongezelelekileyo wokuqinisekisa unceda ukuthintela uhlaselo oluqhelekileyo lokuqweqwedisa iakhawunti, olufana nokuhlohlwa kwenkcazi, esebenzisa igama eliyimfihlo elisetyenzisiweyo kunye nelokuphinda lisetyenziswe. Kubalulekile ukuqaphela ukuba uQinisekiso lokuNgena okuPhuculweyo lwenzelwe ukuba ibe lukhuseleko olongezelelweyo olusisiseko kubo bonke abapapashi. Ayiyondawo ye-2FA, NIST 800-63B. Sikhuthaza abagcini ukuba bakhethe ukuqinisekiswa kwe-2FA. Ngokwenza oku, awuzukufuneka wenze uqinisekiso lokungena olwandisiweyo.

Emva kokugqiba ukufuduka kwekhulu lokuqala, utshintsho luya kusasazwa kwiiphakheji ze-NPM ze-500 ezidumileyo. ngokwenani labaxhomekeke.

Ukongeza kwizikim ezikhoyo ngoku ezisekelwe kwisicelo esekwe kwizinto ezimbini zokuqinisekisa ii-password zexesha elinye (Authy, Google Authenticator, FreeOTP, njl.), ngo-Epreli 2022, baceba ukongeza isakhono sokusebenzisa izitshixo zehardware kunye nezikena zebhayometriki apho kukho inkxaso ye-WebAuthn protocol, kunye nokukwazi ukubhalisa nokulawula izinto ezongezelelweyo zokuqinisekisa.

Khumbula ukuba ngokophononongo olwenziwe ngo-2020, kuphela yi-9.27% ​​yabaphathi bepakethe abasebenzisa ukuqinisekiswa kwezinto ezimbini ukukhusela ukufikelela, kwaye kwi-13.37% yamatyala, xa kubhaliswa iiakhawunti ezintsha, abaphuhlisi bazama ukuphinda basebenzise iipassword ezilahlekileyo ezivela kwiipassword ezaziwayo. .

Ngexesha lokuhlalutya amandla ephasiwedi isetyenzisiwe, I-12% yee-akhawunti ze-NPM ziye zafikelelwa (I-13% yeepakethe) ngenxa yokusetyenziswa kwamagama ayimfihlo anokuxelwa kwangaphambili kunye nangenamsebenzi anjenge "123456". Phakathi kweengxaki kwakukho i-akhawunti yomsebenzisi we-4 yeephakheji ezithandwa kakhulu ze-20, ii-akhawunti ze-13 iipakethi zazo zikhutshelwe ngaphezu kwe-50 yezigidi zenyanga ngenyanga, i-40 - ngaphezu kwe-10 yezigidi ezikhutshelweyo ngenyanga kunye ne-282 ngokukhuphela okungaphezulu kwe-1 yezigidi ngenyanga. Ukuqwalasela umthwalo weemodyuli kunye nekhonkco lokuxhomekeka, ukuphazamisa ii-akhawunti ezingathembekanga kunokuchaphazela ukuya kuthi ga kwi-52% yazo zonke iimodyuli ze-NPM zizonke.

Gqibela Ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha kwinqaku lokuqala Kule khonkco ilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.