@
qsnow6 你确定你去的是 Apple Store 天才吧?人家从来不会要你的密码。这是规定
还有,尽管操作系统的安全边界不可靠,但它依旧是最后一道防线。如果人家都拿到了你的管理员权限。
都不需要获取你的密码了,直接可以拿 cookie 就完事了。
https://news.ycombinator.com/item?id=6166731> The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
>你密码存储的唯一强权限边界就是操作系统的用户账户。因此,Chrome 会使用系统提供的加密存储方式,在账户被锁定的情况下保护你的密码安全。
但除此之外,我们发现操作系统用户账户内部的权限隔离并不可靠,大多只是“表面功夫”。
想象一下,如果有恶意的人获取了你的账户访问权限。他可以导出你所有的会话 Cookie 、获取浏览记录、安装恶意扩展来拦截你的浏览活动,甚至安装在用户账户层级运行的监控软件。我的意思是,一旦坏人进入了你的账户,这场“游戏”基本就输了,因为他有太多途径可以获取他想要的东西。