为什么 Web 应用程序坚持定义严格的密码规则?
您都遇到过各种网站,这些网站强制您使用 6 个字符长的密码,必须有 1 个数字,并且必须与“烦人”押韵。
显然,有一些遗留原因导致有时这是必要的,但有时却是为了安全。 我发现这很烦人,因为我有一组标准密码,这些密码通常与这些特殊规则不匹配,所以我必须创建并记住一个新密码。
如果您担心用户密码的复杂程度,那么在安全性方面似乎还有更重要的事情需要担心。 如果有人真的能够掌握该密码,那么您显然需要担心更大的问题。 在让用户担心您的安全之前,先做好自己的本分并锁定系统端。
我的实际问题是:这些复杂密码规则的替代方案是什么,可以减轻彩虹表或强力哈希反转器的风险,而不依赖用户承担记住复杂内容的负担?
一些想法:盐腌,...
You've all encountered the various websites that force you to have a password that is 6 characters long, must have 1 number, and must rhyme with 'annoying.'
Obviously there are legacy reasons why sometimes this is necessary but other times it's all for security. I find that it's rather annoying because I have a standard set of passwords that often don't match these peculiar rules so I have to make and remember a new one.
It seems that there are more important things to worry about in terms of security if you're worrying about how complex the user's password is. If someone can actually get a hold of that password then you clearly have larger problems to worry about. Do your part and lock down your end of the system before relying on the user to worry about YOUR security.
My actual question is: What are the alternatives to these complex password rules to mitigate the risk of rainbow tables or brute force hash reversers without relying on the user to carry the weight of remembering something complicated?
Some ideas: salting, ...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
无论您选择什么,几乎每个网站都会对您的密码进行加盐和加密。 问题不在于遗留代码、服务器端的数据库安全性或类似的问题,开发人员在大多数情况下都会涵盖这些问题。 问题是愚蠢的用户提交的密码很容易被破解。 规则的目的是迫使您不要选择太愚蠢的密码。
这是一个参考链接。 http://www.codinghorror.com/blog/archives/001206.html
Almost every site will be salting and encrypting your password regardless of what you choose. The issue isn't legacy code, database security on the server side or anything like that, the developers will have that covered in most cases. The problem is dumb users submitting retarded passwords that get broken quite easily. The point of the rules is to FORCE you to not choose too stupid of a password.
Here's a reference link. http://www.codinghorror.com/blog/archives/001206.html
密码规则的原因是尝试并确保“更强”的密码,这实际上意味着平均需要更多的尝试才能通过暴力攻击找到密码。 大多数人,即使在很多例子之后,也喜欢 最近的 Twitter 混乱,将使用 Joe 密码或容易受到可行暴力攻击的字典单词。
最好的办法是询问密码背后的数据的价值是多少,然后破解密码的成本(工作量)是多少。 如果值很小,则不需要复杂的规则,甚至可能根本不需要密码。 如果价值很高,那么你需要让它变得更加困难。
The reason for the password rules is to try and ensure a "stronger" password, which means, in effect, that it takes more trials on average to find the password with a brute force attack. Most people, even after the many examples, like the recent Twitter mess, will use a Joe password, or a dictionary word that's vulnerable to a feasible brute-force attack.
The best thing to do is to ask what the value of the data behind the password is, and then what the cost (effort) of cracking the password would be. If the value is small, you dn't need complicated rules, and maybe you don't need a password at all. If the value is high, then you need to make it more difficult.
使用 KeePass
http://keepass.info/
它肯定会减少麻烦。
Use KeePass
http://keepass.info/
It sure will minimize the hassle.
好的,这就是整个故事。
首先,让我们定义一个方案“优劣”的衡量标准。 对于密码等,衡量标准是暴力攻击获得访问权限所需的平均尝试次数。
假设您的密码由包含 n 个字符的字母表 S 组成,密码长度为 k。 那么可能的密码总数为nk。
平均而言,暴力攻击将在大约 nk/2 或 nk-1 内找到成功的密码 试验。
为了方便起见,并且出于一些我不打算讨论的信息论考虑,我们通常将其表示为位的数量,即lg nk 其中 lg 表示以 2 为底的对数。因为我们习惯于将位视为离散的事物,所以我们实际上通常取该数字的上限,即大于的最小整数比lg nk,但事实上小数值是完全合法的。
对于可打印字符、8 个字符的密码且没有其他规则,该数字约为 1008 或大约 1016; 大约是 53 位。 唯一的问题是,这类随机密码几乎不可能被记住; 它们往往会出现在黄色便签上,并且很容易受到此类攻击。 但这仍然是一个有限的情况。 通过暴力破解大约需要 100 万亿次尝试才能猜出。 如果每次尝试花费一分钱,那么从理论上讲,您的数据在值得窃贼花费时间之前可能价值高达 1 万亿美元。
另一方面,常用词典单词只有5万左右。 这大约是 16 位,或者说需要进行大约 25,000 次暴力尝试。 假设每次尝试花费一分钱:那么您的数据的价值最好不要超过 250.00 美元。
这两者都是规则
R = P×H
的应用,其中R是风险,P是坏想法发生的概率, H(危险)是发生坏事的成本。
现在,一次尝试一分钱太高,但您现在拥有所需的工具。 弄清楚数据的价值,您可以使用此方法来决定您需要多广泛的规则集。 (但要小心,如果您将规则设置得太严格,那么可接受的密码集的熵就会变小,直到您开始讲老笑话:安全部门经过深思熟虑后确定了最佳密码其中全部是“*8h% Jd!”,因此所有用户现在都将开始使用该密码。)
Okay, here's the whole story.
First of all, let's define a measure of the "goodness" of a scheme. With passwords or the like, the measure is the average number of trials it takes a brute force attack to get access.
Let's say that your passwords are drawn from an alphabet S with n characters, and the password's length is k. Then the total number of possible passwords is nk.
On average, then, a brute force attack will find a successful password in about nk/2, or nk-1 trials.
For convenience, and because of some information-theoretic considerations I'm not going to go into, we usually express that as a number of bits, which is lg nk where lg denotes the logarithm base 2. Because we're used to thinking of bits as discrete things, we actually usually take the ceiling of that number, ie, the least integer greater than lg nk, but in fact the fractional value is perfectly legitimate.
For printable characters, 8 character passwords, and no other rules, that number is in the neighborhood of 1008 or about 1016; that is about 53 bits. The only thing is those sorts of random passwords are almost impossible to remember; they tend to end up on yellow sticky notes and become vulnerable to that kind of attack. Still, that is a limiting case. It takes about 100 trillion tries to guess that by brute force. If each try costs a penny, then theoretically, your data could be worth as much as $1 trillion before it would be worth a thief's time.
On the other hand, there are only about 50,000 commonly used dictionary words. That's around 16 bits, or it takes around 25,000 tries by brute force. Figure each try costs a penny: then your data better not be worth more than $250.00.
Both of these are applications of the rule
R = P×H
where R is the risk, P is the probability of a bad think happening, and H (the hazard) is the cost of the bad thing happening.
Now, a penny a try is too high, but you now have the tools you need. Figure out what the data is worth, and you can use this method to decide how extensive a rule set you need. (But be careful, as if you make the rules too stringent, then the entropy of the set of acceptable passwords gets small, until you get down to the old joke that after much thought Security determined the best password of all is '*8h% Jd!', so all users would now start using that password.)
任何未经训练的用户(大多数 Web 应用程序的正常类型)认为自然且易于记忆的内容都将很容易被破解。 您如何存储它并不重要,因为破解软件可以破解未经培训的用户可能使用的所有密码。 仅当用户拥有良好的密码时,加盐和散列才有效。
解决方案是要么要求用户记住更复杂的东西(你拒绝它),要么根据用户拥有的东西而不是用户能记住的东西进行验证。 这可以是一个写下来的密码,一种可以生成每隔几秒更改一次的不可预测的数字的安全密钥,或者是一些更深奥的密码。
网站可以做的就是允许各种强密码。 我讨厌那些我想使用强密码(通常是金融或医疗)的网站,这些密码有“没有特殊字符”之类的规则。 (当然,我不喜欢重复使用强密码;我不希望任何破解我的 HMO 安全性的人从我的 Barnes & Noble 帐户自由订购。)
这可能不是您想要的答案,但坏人其功能足以压倒大多数人所接受的那种休闲安全性。
Anything an untrained user (the normal type for most web applications) will find natural and easy to remember will be easy to crack. It doesn't matter what you do to store it, because cracking software can go through all passwords an untrained user is likely to use. Salting and hashing are effective only when the users have good passwords.
The solution is either to ask the user to remember something more complicated (which you are rejecting) or to base verification on something the user has, rather than what the user can remember. This can be a written-down password, one of those security fobs that generate unpredictable numbers that change every few seconds, or something more esoteric.
What a website can do is allow all sorts of strong passwords. I detest sites where I want to use strong passwords (typically financial or medical) that have rules like "no special characters". (Of course, I don't like reusing strong passwords; I don't want anybody who cracks my HMO security to order freely from my Barnes & Noble account.)
This probably isn't the answer you wanted, but the bad guys have capabilities that will overwhelm the sort of casual security most people are comfortable with.
Keepass 的另一个优点是,在大多数情况下,它可以在 Windows 中直接从 USB 闪存驱动器运行(例如,甚至不需要安装它)。 将keepass 和您的数据库文件都放在USB 密钥上,您就拥有了一个快速、简单的便携式密码参考数据库。 确保您使用强密码来保护您的密码,尽管您丢失了 USB 驱动器,但您不希望所有内容进入您的密码数据库。
Keepass also has the advantage that it will run directly (eg not even have to install it) from a USB flash drive in most cases in windows. Put both keepass and your database file on the USB key and u have a quick and easy portable password reference database. Make sure u secure keepass with a nice strong password though as if u loose your USB drive u don't want all and sundry getting into your password database.