通过键空间而不是使用的字符类检查密码复杂性的好处?
问题:
检查密钥空间密码而不是仅检查长度和使用的字符类有什么缺点?
详细信息:
我开始使用短语作为密码,但我常常在用户友好性方面遇到困难,因为密码要求阻止了我的密码。更糟糕的是,我遇到过有密码长度限制或不接受空格等的系统。
例如,采用标准密码检查器,它需要至少 8 个字符、1 个数字、1 个大写字母、1 个小写字母和 1 个字符。象征。如果我希望我的密码是“stackoverflow 是有史以来最好的网站”,检查器会抛出错误,但我的密码的密钥空间明显大于基本要求。
"C0mplex?" => 6.0956893 × 10^15
"stackoverflow is the best website ever" => 2.4650347 × 10^54
由于我必须自己设计这样的系统,因此我开始探索检查密码的密钥空间大小并需要最小密钥空间而不是特定特征(当然还有常见/明显的密码检查)的想法。这样,无论您使用 8 个字符的混合符号密码还是 12 个字符的不区分大小写的字母数字密码,它们都可以通过复杂性检查。
你们有什么想法/警告吗?
Question:
What would be the drawbacks of checking a password for keyspace instead of just checking for length and character classes used?
Details:
I've started to use phrases as passwords and more often than not I hit a wall with user-friendliness because password requirements block my passwords. Even worse, I've run into systems that have password length limits or don't accept spaces, etc.
For instance, take the standard password checker that wants at least 8 characters, 1 number, 1 uppercase letter, 1 lowercase letter and 1 symbol. If I want my password to be "stackoverflow is the best website ever" the checker would throw up an error yet the keyspace of my passphrse is significantly larger than the basic requirement.
"C0mplex?" => 6.0956893 × 10^15
"stackoverflow is the best website ever" => 2.4650347 × 10^54
As I've had to design systems like this myself, I've started to explore the idea of checking the keyspace size of the password and requiring a minimum keyspace instead of specific traits (as well as common/obvious password checks of course). This way, it doesn't matter if you use an 8-character mixed-symbol password or a 12-character case-insensitive alphanumeric password, they both pass the complexity check.
Any thoughts/caveats you guys can see?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
除了编写检查键空间要求的代码比检查字符类更难之外,没有其他缺点,因此大多数网站(让我们面对它不是由出色的安全专家或编码人员构建的)不会打扰。
更糟糕的是 - 限制最大长度的密码通常是因为它们将您的密码以明文形式存储在数据库中,并且具有固定长度的存储列,任何对安全性有简要了解的人都会知道这是不可接受的,因为密码应该在服务器上加盐和散列。
There are no drawbacks other than the fact that it's harder to write code that checks for keyspace requirements than to check for character classes, and so most websites (which let's face it are not built by brilliant security experts or coders) don't bother.
Worse - passwords which are restricted to maximum lengths are usually because they're storing your password in the database in the clear and have a fixed length column for the storage, which as anyone with even a brief understanding of security will know is unacceptable since passwords should be salted and hashed on the server.