| Users re-use passwords for multiple services. |
用户会将密码重复用于多种服务。 |
| If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. |
如果攻击者获得一台服务器的访问权限,就可以获得一系列密码,他可以使用这个密码来攻击其他服务。 |
| Therefore, only password hashes may be stored. |
因此,只能存储密码哈希值。 |
| Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted. |
在大多数语言中,安全哈希算法都非常易于使用,它可确保轻松恢复原始密码,而且不会错误地接受非正确密码。 |
| Adding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. |
对密码哈希值加盐可以防止使用 Rainbow 表,并显著减少强力攻击次数。 |
| Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. |
这种加强做法使得速率限定失败的情况下,能够很好地减慢意欲窃取哈希值的强力离线攻击和线上攻击。 |
| However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with login attempt limiting. |
但是另一方面,它增加了服务器上的 CPU 负载,如果不通过限制登录尝试加以制止,反而会成为 DDoS 攻击的一个途径。 |
| A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more. |
有效的加强做法可以将强力离线攻击降低 10000 倍甚至更多。 |
| Limiting login attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. |
要通过 CPU 使用密码强化程序来防止强力线上攻击和 DoS,限制登录尝试是非常有必要的。 |
| Without a limit, an attacker can try a very large number of passwords directly against the server. |
若不加以限制,攻击者可以直接针对服务器试用大量的密码。 |
| Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month! |
假设每秒尝试 100 次,这对于一台正常的 Web 服务器而言是合理的,不会实施重大的强化做法,攻击者可以使用多个线程操作,结果是,在单单一个月中就可以尝试 259,200,000 个密码。 |
| Not enforcing any password policies will lead to too many users choosing “123456”, “qwerty” or “password” as their password, opening the system up for attack. |
若不强制执行任何密码策略,会导致太多的用户选择“123456“、“qwerty”或“password”作为他们的密码,从而使系统面临攻击。 |
| Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. |
而强制执行过于严格的密码策略会使用户不得不保存密码或将密码记下来,这通常会让用户觉得很烦,从而养成将同一个密码重复用于各种服务的习惯。 |
| Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. |
而且,使用与策略不符的安全密码的用户,他们不得已采用的密码虽然更难记住,但是并不一定就是安全的。 |
| A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. |
由 5 个串联的,随机 (!) 选择的,小写字母的字典词汇组成的密码,比由 8 个大小写字母、数字和标点符号组成的密码显然要安全得多。 |
| Take this into account if you do not get a password policy to implement, but have to design your own. |
如果您没有获得要实施的密码策略,但是必须制定一个,请考虑这一点。 |
