I-GitHub manje ibuyisela ukuqinisekiswa kwe-akhawunti okunwetshiwe okuyisibopho ku-NPM

Darkcrizt

Imizuzu ye-4

I-GitHub isanda kukhipha izinguquko ezithile ku-NPM ecosystem ngokuphathelene nezinkinga zokuphepha eziye zavela futhi enye yakamuva kakhulu ukuthi abanye abahlaseli bakwazi ukulawula iphakheji ye-coa NPM futhi bakhulula izibuyekezo 2.0.3, 2.0.4, 2.1.1, 2.1.3 kanye ne-3.1.3. XNUMX, ehlanganisa izinguquko ezinonya.

Maqondana nalokhu kanye nokwanda kwezigameko zokuquleka kwamakhosombe yamaphrojekthi amakhulu kanye nokuphromotha ikhodi enonya Ngokufakwa ebucayini kwama-akhawunti kanjiniyela, i-GitHub yethula ukuqinisekiswa okunwetshiwe kwe-akhawunti.

Ngokuhlukana, kubanakekeli nabaphathi bamaphakheji e-NPM aziwa kakhulu angu-500, ukuqinisekiswa kwezinto ezimbili okuyisibopho kuzokwethulwa ekuqaleni konyaka ozayo.

Kusukela ngoDisemba 7, 2021 kuya kuJanuwari 4, 2022, bonke abanakekeli abanelungelo lokukhulula amaphakheji e-NPM, kodwa abangasebenzisi ukuqinisekiswa kwezinto ezimbili, bazodluliswa ukuze basebenzise ukuqinisekiswa okunwetshiwe kwe-akhawunti. Ukuqinisekisa okunwetshiwe kuhilela isidingo sokufaka ikhodi eyingqayizivele ethunyelwa nge-imeyili lapho uzama ukufaka isayithi le-npmjs.com noma ukwenza umsebenzi oqinisekisiwe kunsiza ye-npm.

Ukuqinisekisa okunwetshiwe akumiseleli kodwa kugcwalisa kuphela ukuqinisekiswa kwezinto ezimbili ozikhethelayo eyayitholakala ngaphambilini, edinga ukuqinisekiswa kwamagama ayimfihlo esikhathi esisodwa (TOTP). Ukuqinisekiswa kwe-imeyili okunwetshiwe akusebenzi uma ukuqinisekiswa kwezinto ezimbili kunikwe amandla. Kusukela ngo-February 1, 2022, inqubo yokudlulela ekugunyazweni okuyizici ezimbili kwamaphakheji e-NPM ayi-100 aziwa kakhulu anokuncika kakhulu izoqala.

Namuhla sethula ukuqinisekiswa kokungena okuthuthukisiwe ekubhaliseni kwe-npm, futhi sizoqala ukukhishwa okumangalisayo kwabanakekeli kusukela ngomhla ka-7 Disemba futhi kuphothulwe ngoJanuwari 4. Abanakekeli bokubhalisa be-Npm abakwazi ukufinyelela ukushicilela amaphakheji futhi abangenakho ukuqinisekiswa kwezinto ezimbili (2FA) okuvunyelwe bazothola i-imeyili enephasiwedi yesikhathi esisodwa (OTP) uma beqinisekisa ngewebhusayithi ye-npmjs.com noma i-Npm CLI.

Le OTP ethunyelwe nge-imeyili izodinga ukunikezwa ngaphezu kwephasiwedi yomsebenzisi ngaphambi kokuqinisekisa. Lesi sendlalelo esengeziwe sokuqinisekisa sisiza ukuvimbela ukuhlasela okuvamile kokudunwa kwe-akhawunti, okufana nokugcwaliswa kwemininingwane, okusebenzisa igama-mfihlo lomsebenzisi elasetshenziswa futhi elasetshenziswa. Kuhle ukuqaphela ukuthi Ukuqinisekiswa Okuthuthukisiwe Kokungena Ngemvume kuhloselwe ukuba isivikelo esiyisisekelo esingeziwe sabo bonke abashicileli. Akukona ukumiselela i-2FA, NIST 800-63B. Sikhuthaza abanakekeli ukuthi bakhethe ukuqinisekiswa kwe-2FA. Ngokwenza lokhu, ngeke udinge ukwenza ukuqinisekiswa kokungena okuthuthukisiwe.

Ngemuva kokuqeda ukufuduka kwekhulu lokuqala, ushintsho luzosatshalaliswa kumaphakheji we-NPM adume kakhulu angama-500. ngokwenani labancikile.

Ngokungeziwe ezinhlelweni ezitholakalayo njengamanje ezisekelwe kuhlelo lokusebenza ezisekelwe ezintweni ezimbili zokukhiqiza amaphasiwedi esikhathi esisodwa (Authy, Google Authenticator, FreeOTP, njll.), ngo-Ephreli 2022, bahlela ukwengeza amandla okusebenzisa okhiye behadiwe nezikena ze-biometric okunokusekelwa kwayo kwephrothokholi ye-WebAuthn, kanye nekhono lokubhalisa nokuphatha izici ezihlukahlukene zokuqinisekisa ezengeziwe.

Khumbula ukuthi ngokocwaningo olwenziwa ngo-2020, bangama-9.27% ​​kuphela abaphathi bephakheji abasebenzisa ukuqinisekiswa kwezinto ezimbili ukuze bavikele ukufinyelela, futhi ku-13.37% yamacala, lapho kubhaliswa ama-akhawunti amasha, abathuthukisi bazame ukuphinda basebenzise amagama ayimfihlo onakalisiwe avela kumaphasiwedi aziwayo. .

Ngesikhathi sokuhlaziya amandla ephasiwedi esetshenzisiwe, U-12% wama-akhawunti ku-NPM afinyelelwe (13% wamaphakeji) ngenxa yokusetshenziswa kwamagama ayimfihlo aqagelekayo nangasho lutho njengokuthi "123456". Phakathi kwezinkinga kwakukhona ama-akhawunti abasebenzisi angu-4 amaphakheji athandwa kakhulu angu-20, ama-akhawunti angu-13 amaphakheji awo alandwa izikhathi ezingaphezu kwezigidi ezingu-50 ngenyanga, 40 - okulandwayo okungaphezu kwezigidi ezingu-10 ngenyanga kanye nama-282 okulandwayo okungaphezu kwesigidi esisodwa ngenyanga. Uma kucatshangelwa umthwalo wamamojula ochungechungeni lokuncika, ukufaka engozini ama-akhawunti angathenjwa kungase kuthinte kufikela ku-1% wawo wonke amamojula e-NPM esewonke.

Okokugcina Uma unesifiso sokwazi okwengeziwe ngakho, ungabheka imininingwane kunothi lokuqala Kulesi sixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.