暴力攻击asp.net中的故障安全登录
我刚刚读到一篇文章说7个字符的密码不再安全。但是,如果服务器增加每次登录尝试后重试登录的时间,那么暴力攻击就没用了。如何在 ASP.NET 中创建这样的逻辑?不知怎的,我猜服务器端代码需要记住尝试登录的IP地址,并且应该增加每次新尝试的响应时间?
I just read an article saying that passwords with 7 characters are no longer safe. However, if the server increases the time to retry a login attempt after each login attempt, then brute force attacks are useless. How do you create such logic in asp.net? Somehow I guess the server side code needs to remember the ip-address that tried to login and should increase the response time with each new try?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
IP 地址并不是真正识别用户的安全方法。您可以尝试将上次提交的登录尝试存储在 cookie 中,但如果浏览器不接受它们,那么它的用途将受到限制。会话变量也需要cookie,所以它们已经被淘汰了。
有些网站(我想到的是雅虎)在第三次左右尝试后开始显示验证码表单。除了您的登录详细信息之外,您还必须正确回答验证码。
另一种选择是在 X 次尝试失败后禁用帐户(可以在您的数据库中进行跟踪),但我个人不喜欢这样做,因为每当我忘记密码时,它往往会迫使我打电话给某人来重置我的密码。
IP address isn't really a secure method of identifying the user. You could try storing the last time a login attempt was submitted in a cookie, but if the browser doesn't accept them, it'll be of limited use. Session variables also require cookies, so they're out.
Some sites (yahoo comes to mind) start showing a Captcha form after the third or so attempt. You have to correctly answer the captcha in addition to your login details.
Another option would be to disable an account after X failed attempts (which can be tracked in your database), but I personally dislike this as it tends to force me to call someone to get my password reset whenever I forget one.
许多暴力攻击都是离线发生的。这就是为什么尝试失败的锁定不能替代复杂的密码、使用适当的“盐”和密钥强化的原因。
Many brute force attacks occur offline. That's why failed-attempt lock-outs are no substitute for requiring complex passwords, using proper "salt", and key-strengthening.
ASP.NET 有一个内置机制来防止针对登录密码的暴力攻击。
请参阅 maxInvalidPasswordAttempts 成员身份属性 。
恕我直言,7 个字符的密码完全适合大多数 Web 应用程序(我的银行允许 7 个字符的密码),前提是遵循安全最佳实践,例如安全地散列密码和阻止暴力攻击。
一旦您获得超过 7 或 8 个字符的密码,您实际上是在说“我的应用程序需要超级安全”,在这种情况下,您应该考虑单独的客户端 SSL 证书。要求密码中包含更多字符会带来收益递减。您有多少用户能够记住复杂的 8 或 9 个字符的密码?他们最终把它们写下来。就我个人而言,任何要求我创建超级复杂密码的网站都会拒绝我。
只要正确设置,ASP.NET 会员资格就会为您完成大部分有关安全性的艰苦工作。
但是,ASP.NET 成员资格无法为您做一些事情,例如:
有关安全最佳实践的更多信息,我将查看 OWASP
ASP.NET has a built-in mechanism to prevent brute force attacks against login passwords.
Refer to the maxInvalidPasswordAttempts Membership property.
IMHO 7 character passwords are perfectly adequate for most web applications (my bank allows 7 char passwords) provided security best practices are followed, such as securely hashing passwords and blocking brute force attacks.
Once you get beyond 7 or 8 character passwords, you are really saying "my app needs to be super secure", in which case you ought to consider individual client SSL certificates. Requiring more characters in a password has diminishing returns. How many of your users can remember complex 8 or 9 character passwords? They end up writing them down. Personally, I get turned away by any site that requires me to create some super-complex password.
ASP.NET Membership does most of the hard work around security for you, as long as it is setup properly.
However, there are some things ASP.NET Membership cannot do for you, such as:
For more on security best practices I'd look at OWASP
您可能需要担心至少三种攻击:
您可以将每个 IP 的尝试次数存储到树中,然后将树的密集部分分组在一起。然后将其分桶(每 10 分钟构建一棵新树,将旧树再保留 10 分钟)。这可能有一个错误的假设,即相邻 IP 可能会表现出类似的行为,但会优雅地降级为仅将 IPv4 聚集到(例如)/24 中。
如果您感觉特别慷慨,您可以在登录时存储一个单独的 cookie,在注销时不会清除该 cookie,并在数据库中保存一个副本(128 位随机值应该足够了)。在尝试登录时,如果浏览器提供了正确的 cookie,请对浏览器“更好”(例如,允许对该 cookie 进行 3 次尝试,而不计算每个 IP 或每个用户的失败率)。这意味着即使用户的帐户被暴力破解,用于访问该帐户的最后一台计算机也不会显示验证码。
一般来说,谈论密码熵比谈论密码长度和“字符类型”更有用——我很确定几乎每个人都只是将第一个字母大写并在末尾添加一个 1。我还没有看到任何“人类友好”的密码生成器也声明密码熵。
There appear to be at least three attacks you might want to worry about:
You could store tries-per-IP into a tree, where you group dense parts of the tree together. Then just bucketize it (construct a new tree every 10 minutes, keep the old tree around for 10 more minutes). This has the possibly mistaken assumption that neighbouring IPs are likely to exhibit similar behaviour, but downgrades gracefully into just clustering the IPv4 into (say) /24's.
If you're feeling particularly generous, you can store a separate cookie on login that's not cleared on logout, and save a copy in the database (a 128-bit random value should be good enough). On a login attempt, be "nicer" to the browser if it presents the correct cookie (e.g. allow 3 attempts on that cookie without counting per-IP or per-user failure rate). This means that the last machine used to access the account isn't presented with a CAPTCHA even when the user's account is being bruteforced.
In general, it's more useful to talk about password entropy than password length and "types of characters" — I'm pretty sure nearly everyone just makes the first letter capital and sticks a 1 on the end. I've also yet to see any "human-friendly" password generators that also state password entropy.