| Users re-use passwords for multiple services. |
用户会重复使用密码于多个服务。 |
| If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. |
如果一个攻击者获得了对一台服务器的访问权限,并且可以获得密码列表,他可能会使用其中的密码来攻击其他服务。 |
| Therefore, only password hashes may be stored. |
因此,只能存储密码的哈希值。 |
| Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted. |
对于大多数语言,安全的哈希算法很容易使用,这能确保原始密码不易被恢复,而错误的密码也不会被接受。 |
| Adding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. |
将盐分掺到生成密码哈希,可以防止彩虹表命中,并显著拖慢蛮力尝试的效率。 |
| Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. |
强化措施既可以减缓针对被盗哈希的离线蛮力攻击,也可以在速率限制失败的情况下减缓在线蛮力攻击。 |
| However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with login attempt limiting. |
然而,它增加了服务器的CPU负载,如果不通过登录尝试限制来防止,将为DDoS攻击打开一个载体。 |
| A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more. |
一个好的强化措施可以将线下的蛮力攻击减缓10000倍以上。 |
| Limiting login attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. |
限制登录尝试是必要的,以防止在线暴力攻击和利用密码强化程序的CPU占用来进行DoS。 |
| Without a limit, an attacker can try a very large number of passwords directly against the server. |
如果没有限制,攻击者可以直接对服务器尝试非常多的密码。 |
| Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month! |
假设每秒尝试100次,这对于一个正常的Web服务器来说是合理的,但如果没有明显的强化,一个攻击者使用多个线程工作,能导致一个月尝试259,200,000个密码! |
| Not enforcing any password policies will lead to too many users choosing “123456”, “qwerty” or “password” as their password, opening the system up for attack. |
如果不执行任何密码策略,将导致太多的用户选择 "123456"、"qwerty "或 "password "作为密码,使系统易受到攻击。 |
| Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. |
执行过于严格的密码政策将迫使用户保存密码或写下密码,通常会使用户感到烦躁,并促使他们重复使用相同的密码于所有服务。 |
| Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. |
此外,使用不符合政策的安全密码的用户可能会被迫使用较难记忆却不一定安全的密码。 |
| A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. |
由5个连贯的、随机(!)选择的小写字典词组成的密码,比由字母、数字和标点符号混合组成的8个字符密码要安全得多。 |
| Take this into account if you do not get a password policy to implement, but have to design your own. |
如果你没有实施一个密码策略,但必须自己设计时,可以考虑这一点。 |
