| Users re-use passwords for multiple services. |
用户对多种服务重复使用密码。 |
| If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. |
如果攻击者获得对一台服务器的访问权限,并且能够获得密码列表,则此人或许可以用该密码来攻击其他服务。 |
| Therefore, only password hashes may be stored. |
因此,只能存储密码散列。 |
| Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted. |
在大多数语言中都很容易使用安全散列算法,确保不易恢复原始密码,也不会错误地接受不正确的密码。 |
| Adding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. |
在密码散列中添加“佐料”可以防止使用彩虹表,显著减慢暴力尝试的速度。 |
| Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. |
在速率限制失败的情况下,通过强化可以减慢对被盗散列和联机暴力的脱机暴力攻击。 |
| However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with login attempt limiting. |
不过,它会增加服务器的 CPU 负载,如果不利用登录尝试限制来加以阻止,则会成为 DDoS 攻击的途径。 |
| A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more. |
通过良好的强化,脱机暴力攻击次数可以减少 10000 倍或以上。 |
| Limiting login attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. |
为防止通过 CPU 使用密码强化过程进行联机暴力攻击和 DoS,有必要限制登录尝试次数。 |
| Without a limit, an attacker can try a very large number of passwords directly against the server. |
如果不加限制,攻击者就可以直接针对服务器尝试大量密码。 |
| Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month! |
假设每秒尝试 100 次(这对于普通 Web 服务器来说很合理),如果没有显著强化并且攻击者使用多个线程,那么光一个月内就会尝试 259,200,000 个密码! |
| Not enforcing any password policies will lead to too many users choosing “123456”, “qwerty” or “password” as their password, opening the system up for attack. |
不执行任何密码策略将导致太多用户选择“123456”、“qwerty”或“password”作为密码,致使系统容易遭受攻击。 |
| Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. |
若执行过于严格的密码策略,用户就不得不保存密码或将密码写下来,这让用户不胜其烦,因而促使他们对所有服务重复使用相同的密码。 |
| Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. |
此外,使用与策略不匹配的安全密码的用户,可能不得不使用难记但却未必安全的密码。 |
| A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. |
由 5 个随机(!)选择的一连串小写字典单词组成的密码,比 8 个字符(由混合的大小写字母、数字和标点符号组成)的密码明显更加安全。 |
| Take this into account if you do not get a password policy to implement, but have to design your own. |
如果您没有实施密码策略,请不妨考虑这一点,但必须自行设计密码。 |
