| Users re-use passwords for multiple services. |
用户会在多个服务上使用相同的密码。 |
| If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. |
如果攻击者成功侵入服务器,并且能获取到一系列的密码,他可以用这些密码去攻击其他的服务。 |
| Therefore, only password hashes may be stored. |
因此,应只保存密码的散列值。 |
| Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted. |
许多语言都提供了简单易用的安全散列函数,这些函数确保难以从散列值恢复出原始密码,且错误的密码不能通过验证。 |
| Adding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. |
对密码的散列值加盐可以防止攻击者使用彩虹表,进而显著拖慢暴力破解的速度。 |
| Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. |
不论是对窃取到密码散列值的离线暴力破解,还是对频次限制失效情况下的在线暴力破解,散列加强都能拖慢其速度。 |
| However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with login attempt limiting. |
但是,这会增加服务器的处理器(CPU)负载,若不限制登录请求的频次,这会成为对服务器进行分布式拒绝服务(DDoS)攻击的一个途径。 |
| A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more. |
正确使用散列加强可以将离线暴力破解的速度减慢10000倍以上。 |
| Limiting login attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. |
密码散列加强策略会产生CPU开销,这些额外的开销可能会引起拒绝服务(DoS)。因此,必须限制登陆尝试的频次,这样也能同时防范在线暴力破解。 |
| Without a limit, an attacker can try a very large number of passwords directly against the server. |
若不限制登陆尝试的频次,攻击者可以直接向服务器提交大量的密码来试图登录。 |
| Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month! |
我们合理假设对一个普通的网站服务器,在没有应用显著的散列加强时,一个使用多线程的攻击者每秒能尝试100次登录,那他仅需一个月就能尝试2亿5920万个密码! |
| Not enforcing any password policies will lead to too many users choosing “123456”, “qwerty” or “password” as their password, opening the system up for attack. |
不执行任何密码策略会导致许多用户将“123456”、“qwerty”、“password”设为密码,这会扩大系统的攻击面。 |
| Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. |
而密码策略过于严格则会迫使用户选择将密码保存在文件中或写在纸上,这会降低用户体验,还可能助长一条密码走天下的习惯。 |
| Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. |
而且,那些使用了不符合密码策略但是安全的密码的用户可能不得不选择一个更难记忆的密码,但这种密码并不一定安全。 |
| A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. |
举例来说,从字典中随机抽取五个单词(注意必须是随机的),将它们拼接在一起而成的全小写密码远比一个长度为8位,且包含大小写字母、数字和特殊符号的密码要更加安全。 |
| Take this into account if you do not get a password policy to implement, but have to design your own. |
如果没人指定你要实现某个特定的密码策略的话,设计时最好考虑一下上面的例子。 |
