| Users re-use passwords for multiple services. |
用户在多个服务之间重用密码。 |
| If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. |
如果黑客获取到一个服务器的访问权限并且能得到一组密码,那么他可能用这个密码去尝试攻击其他服务。 |
| Therefore, only password hashes may be stored. |
因此,只可以存储密码的哈希值 |
| Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted. |
安全哈希算法可以确保密码很难被还原且错误密码不会被错误接受,大多数编程语言中都可以很容易的使用它。 |
| Adding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. |
给密码哈希加盐可以防止使用彩虹表并且能显著缓解暴力破解 |
| Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. |
如果速率限制失败,那么密码强化可以缓解哈希被盗取之后的离线攻击和在线攻击。 |
| However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with login attempt limiting. |
然而,这将增加了服务器的CPU负载。如果没有做登录尝试的限制,也会打开一个DDoS攻击向量。 |
| A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more. |
良好的强化手段可以将线下攻击降低1万倍或者更多。 |
| Limiting login attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. |
对于防止在线攻击和使用CPU进行的密码增强程序的DoS攻击来说使用登录尝试限制是很有必要的。 |
| Without a limit, an attacker can try a very large number of passwords directly against the server. |
没有限制的话,黑客可以向服务器进行大量的密码尝试。 |
| Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month! |
对于一台普通没有做过明显密码强化的web服务器来说,每秒进行100次密码尝试是在合理范围之内的,黑客使用多线程技术的话在一个月内就可以尝试259,200,000次。
|
| Not enforcing any password policies will lead to too many users choosing “123456”, “qwerty” or “password” as their password, opening the system up for attack. |
不强制执行任何密码策略的话将会导致大量的用户选择“123456”、“qwerty”或者“password”来作为他们的密码,这无疑是对攻击敞开大门。 |
| Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. |
强制使用过分严格的密码策略会导致用户不得不保存密码或者写下密码,他们也会时常弄混,最终致使他们在各个不同的服务之间都使用同一份密码。 |
| Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. |
此外,用户使用的安全密码和密码策略不匹配的话会迫使用户去使用那些很难记住的密码,这些密码也不见得是安全的。 |
| A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. |
在字典里随机选择5个小写字母构成的单词连接起来组成的密码比由大小写字母、数字、标点符号混合组成的8字符密码明显更加安全。 |
| Take this into account if you do not get a password policy to implement, but have to design your own. |
如果您的账户还没有实施密码策略,请务必考虑自己设计一套。 |
