Users re-use passwords for multiple services. |
用户会在多个服务中重复使用密码。 |
If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. |
如果攻击者获取了对一台服务器的访问权,并拿到了密码列表,他就可能会使用这个密码来攻击其他服务。 |
Therefore, only password hashes may be stored. |
因此,只能存储密码哈希值。 |
Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted. |
安全哈希算法在大多数语言中都很容易使用,并能确保原始密码不容易被恢复,以及错误的密码不会被错误地接受。 |
Adding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. |
在密码哈希值中加盐(salt),可以防止使用彩虹表(rainbow table),并大大减缓暴力攻击尝试的速度。 |
Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. |
这种密码加强方法既可以减缓针对被盗哈希值的离线暴力攻击,也可以在速率限制失败时减缓在线攻击。 |
However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with login attempt limiting. |
但是,它增加了服务器的 CPU 负载,如果没有通过登录尝试次数来限制的话,会为 DDoS 攻击打开一个缺口。 |
A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more. |
一个好的密码加强方法可以将离线暴力攻击的速度降低 10000 倍甚至更多。 |
Limiting login attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. |
对于防止在线暴力攻击以及针对密码加固程序的 CPU 使用而进行的 DoS(拒绝服务攻击),限制登录尝试次数是非常必要的。 |
Without a limit, an attacker can try a very large number of passwords directly against the server. |
如果不做限制的话,攻击者可以直接针对服务器尝试非常多的密码。 |
Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month! |
对于一个普通的 Web 服务器来说,假设每秒尝试 100 次,这个数字是可以接受的,但如果没有有效的密码加强方法,且攻击者使用多个线程工作,这将会导致在一个月内尝试 259,200,000 个密码! |
Not enforcing any password policies will lead to too many users choosing “123456”, “qwerty” or “password” as their password, opening the system up for attack. |
不采取任何密码策略的话,会导致过多的用户选择 "123456"、"qwerty" 或 "password" 作为密码,系统很容易被攻击。 |
Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. |
而采取过于严格的密码策略的话,用户不得不保存密码或者把密码写下来,这样会让用户感到厌烦,并会滋长用户在所有服务中重复使用相同密码的习惯。 |
Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. |
此外,用户使用了安全的密码但却不符合密码策略的话,可能会被迫使用更难记住的密码,这却又不一定安全了。 |
A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. |
由 5 个连成一串的、随机(!)选择的小写字典单词组成密码,比由字母、数字和标点符号混合组成的 8 个字符密码要安全得多。 |
Take this into account if you do not get a password policy to implement, but have to design your own. |
如果你要设计一套密码策略但还没想好怎么实施的话,不妨考虑一下这一点。 |