密碼強度

出自維基百科,自由嘅百科全書
Jump to navigation Jump to search

密碼強度量度一個密碼有幾難畀未有受權嘅人或電腦估到。

據啲密碼幾難估,將佢哋分做「弱」、「破得」同埋「強」。所謂「強弱」呢個字係相對嘅,只係響某特定密碼系統之內至有意義。 一串密碼嘅質素有賴成套密碼系統點限制任何人估中個密碼,無論係個用户嘅朋友定係部電腦亂撞嗮百萬計嘅可能性。響密碼學入面,呢幾個字都有咁上下準確意思。但係,就算一串「強」密碼都可能被人偷、呃、逼供出來、用鍵盤收集、傳送途中截聽、或用其它方法發現。

廢密碼[編輯]

廢密碼係話個密碼好短,好簡單,好易畀暴力破解到。例如出世日期、電話冧(包括手機)、證件冧、自己人名(唔理係邊隻國家文)、或用戶名、重有基於呢類詞彙基礎上嘅幾個組合、寵物名,都係可以通過其他渠道搵到[1]。重有係連續嘅數字或重複、帶順序嘅英文字,睇落去好似好難被破解但好易俾黑客估到嘅組合[1]

常用詞彙版[編輯]

以下呢啲常用詞彙版嘅密碼都唔好用,因為呢啲都係主流密碼,太簡單,若果黑客用工具去破解,一秒內就搞掂。

123456 12345 123456789 princess password 111111 654321
Password iloveyou abc123 12345678 1234567 88888888 87654321
rockyou qwerty abcdef admin 0000 123qwe

以上呢啲密碼大多數都俾全球最權威嘅密碼研究部門研究過兼入咗全球最危險嘅密碼排行榜[2][3][4][5][6][7]

個人信息版[編輯]

雖然其他人唔知自己啲個人信息係乜,但喺撞庫攻擊入面,最先會用個人信息嚟做密碼[8][9]。尤其係出世日期或生日最先用到[10][11][12]。雖然個人信息比較好記,但特別易破解,因為黑客可以通過其它渠道嚟獲得其他人嘅個人信息[註 1]

亦有啲人好鍾意用手機冧、郵箱、電話冧、身份證冧、QQ、msn、facebook、twitter、微博等社交網絡戶口等個人信息有明顯聯繫啲嘢做密碼,不過家下好多人都係人手一臺智能電話,一旦俾其他人知個戶口係乜就好易估到密碼出嚟。

戶口版[編輯]

攞戶口嚟做密碼相當於老虎頭上捉蝨乸[13][14]。因為黑客可以用隨機估嘅方法入面,都有戶口份。咪以為最崖广嘅地方係最安全。

睇落去好似好難估,但好易被估到嘅組合版[編輯]

遇到以下呢啲密碼要小心喇:

123qwe qazwsx qwerty qweasd 1qaz2wsx 123qwezxc qweasdzxc asdfgh 1q2w3e 147258

呢啲密碼雖然睇落去好似好難估,但好易俾黑客估到出嚟。因為佢哋隻隻都係鍵盤隔籬個掣。

字典版[編輯]

密碼分析學電腦安全入面,有字典攻擊英文Dictionary attack嘅講法。因為嗰啲單詞都係冇任何標點符號或阿拉伯數字,若果耖下當地話嘅辭典就好快搵到個詞嚟做密碼[15]

堅嘅密碼[編輯]

堅嘅密碼係話個密碼好長,好複雜,好難暴力破解到兼難估到出嚟。例如大小寫拉丁字同阿拉伯數字、標點符號及空格組合。呢啲噉嘅密碼即使係黑客同網絡攻擊啲友。都要用長達幾個禮拜到幾年,甚至幾代或好多個世紀時間先至破解到出嚟。

例如以下噉嘅密碼都屬安全密碼[註 2]

密碼 解釋
t3wahSetyeT4 雖然唔係字典入面嘅破解詞,但佢包括咗大小寫同阿拉伯數字嘅組合。
4pRte!ai@3 雖然唔係字典入面嘅破解詞,但佢包括咗大小寫同阿拉伯數字、標點符號嘅組合。
MoOoOfIn245679 密碼比較長,兼有大小寫字母同阿拉伯數字組合。
Convert_600£ to Euros! 典型一句英文句子,好長,兼有小寫同阿拉伯數字、標點符號嘅組合。
yida124579yida 一堆阿拉伯數字同隻拉丁字喺前後,一般用喺好多個戶口或校園網、公司企業內網整密碼時用。
Tpftcits3Utg! 包括咗大小寫同阿拉伯數字、標點符號嘅組合。呢種噉嘅密碼即使用運算比較快嘅電腦都好難破解到。
以上呢啲密碼(包括近似字符堆)嘅安全性已經洩漏,唔好再用佢。

種類[編輯]

堅嘅密碼可以有好多種組合。一般嚟講,組合得越多,破解難度就越大,破解時長就越長。

規則組合法[編輯]

例如設一個基礎密碼,後面加堆規則嚟疊加,組成唔同嘅強密碼。呢啲密碼多數都圍繞有大寫同小寫嘅拉丁字、阿拉伯數字同符號。例如「michael」呢個係基礎嘅廢密碼,後邊加多個「0704-US」字符,組合成「michael0704-US」,呢個規則相當於「7月4號+減號+美國」嘅縮寫。

前綴組合法[編輯]

例如設一個基礎密碼,後面加至少2個事物嘅前綴組合嚟唔同嘅強密碼。呢啲密碼多數都圍繞有單詞同數字排列同其它名嘅前綴組合。例如Princess同12345同Google嘅三個單詞組合,可以組合成Prin12345gle、Prin12345G、Prin12345Goo、Goo12345ceSS噉嘅組合。

符號法[編輯]

例如設一個基礎密碼,跟住喺鍵盤入面輸入個特殊符號。因為特殊符號可以將廢密碼一下變勁好多。例如123qaz係個廢密碼,但係寫成「<123qaz>」噉就變勁咗好多。一般嚟講,黑客工具好多時為咗提高效率而唔會裝入特殊符號,即使裝入,最多凈裝例如「!」或「@」之類。

非本人信息法[編輯]

例如設一個基礎密碼,入面包括至少一樣非本人嘅事物。例如座右銘、屋企寵物名、幼稚園名、舊情人等等……因為非本人嘅事物,黑客即使攞到個人資料啲嘢都未必破解到。

英文句子法[編輯]

用條簡單嘅英文句子做密碼都係個辦法,例如「I'm Tom.」。因為噉嘅句子,即使黑客攞去破解,都要好長時間先至破解到[16][17][18]

參照法[編輯]

用首歌嘅歌詞或其它内容名嘅頭字母兼随机大小寫夾帶符號做密碼。例如「星期一到星期七」,可以寫成「SK1douSK7」。

數理化公式法[編輯]

用條簡單嘅帶字母嘅數理化公式亦係個辦法,例如「a+1<2-3b」或「4Al+3O2=2Al2O3」。因為黑客工具好多時為咗提高效率而唔會裝入數理化符號。

亂嚟嘅密碼[編輯]

[未記出處或冇根據]穏陣嘅密碼係一長串亂嚟嘅字元, but such passwords are generally the most difficult to remember. For the same number of characters, a password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols (when allowed). The difficulty in remembering such a password increases the chance that the user will write down the password, which makes it more vulnerable to a different attack (in this case the paper being lost or stolen and the password discovered). Whether this represents a net reduction in security depends on whether the primary threat to security is internal or external.

A password can, at first sight, be random, but if you really examine it, it is just a pattern. One of these types of passwords is 26845. Although short, it is not easily guessed. But the person who created the password is able to remember it, because it's just the four direction keys on the square number board (found at the right of most keyboards), plus a five in the middle. If you practice it, it is just one swift motion of moving 2 fingers around the board (which is very easy to use).

Forcing users to use system-created random passwords ensures the password will have no connection with that user and shouldn't be found in any dictionary. Several operating systems have included such a feature. Many also include password aging, requiring users to choose new passwords regularly, commonly after 30 or 45 days. Many users resent such measures, particularly in the absence of effective security awareness training. The imposition of strong random passwords may encourage users to write down passwords, store them in PDAs or cellphones, share them with others against memory failure, increasing the risk of disclosure.

The following measures can increase acceptance of random password use, if carefully used:

  • Create a training program. The initial advantages of random passwords need to be laid out for people. Also, update training for those found to disclose passwords.
  • Reward users of random passwords by reducing the rate of forced password changes to periods longer than 3 months. Typically 4, 6 or 12 month forced password reset periods work. Spreading out the password change process may have an advantage to human memory processes.
  • Compensate for disclosed passwords by building a vigilant account closure process for departing users and/or a process to show each user a last login notification banner.
  • Automate a password reset system as a safety net. This will also reduce Helpdesk call volume concerning password resets. This must be done with care, however, because easily guessable password reset keys bypass the advantages of a strong password system!

Passwords can be found by using so-called brute force password generators. In the simplest case, these are small programs that simply try all possible combinations. A 3 GHz processor can generate approximately 3 million passwords a second. A ten letters password such as '4pRte!ai@3', because there are about 95 keys available, is one of possibilities, which would take approximately 632860 years to be found assuming purely random possible password generation. A password containing fifteen random upper-case letters would be just as safe and might be easier for some people to remember and type.

Training[編輯]

In large password files the awareness of password strength may be roughly measured by the time it takes to crack 50% of the password hashes present. With a large password file, using a standard Pentium 4 system, Microsoft password hashing techniques and an under-trained user group making password choices, it may be safely estimated that 50% of the password hashes will crack in less than two minutes. However, with careful attention to password strength advice, password choices can outlast the patience of a password cracking effort.

User training versus a cracking time metric for large user base password files:[未記出處或冇根據]

User training actions Metric: 50% password hashes cracked
No Training Time ≤ 2 minutes
Sporadic User Training Time ≤ 4 minutes
General User Training Time ≥ 45 minutes
Focused User Training Time ≥ 24 hours
Motivated User Population Time ≥ 1 week
Random Password Group Time ≥ 2 weeks
Contest Winners Time ≥ 1 month

Note: times are based on reports from authorized password cracking efforts that used John the Ripper, without a dictionary, on Microsoft LM Hashes, run on a Pentium 4, 2 GHz system. Only results from password files containing greater than 3,000 password hashes are included.[未記出處或冇根據]

Pre-computed rainbow tables represent a determined computing investment. The greater the range of keys included and the length in password places covered, the greater the number of combinations to compute, and the greater the expense of time or money to obtain them.

Factors to consider

  • Key space
  • Investment in computer time
  • Parallel computing team coordination
  • Raw patience of a determined computing effort
  • Predictive accuracy
  • Encryption type
  • Storage space
  • Distribution or purchase costs

Rainbow Table Defenses

  • Exceeding the password length of commonly available tables.
  • Exceeding the keyspace of commonly available tables.
  • Avoiding the use or exceeding the useful length of old hashing methods.
  • Preventing the capture of password hashes.
  • Using salts.

Passwords weakened by hashing vulnerabilities[編輯]

Knowing which password hashing methods are used to protect your password can help you choose a more effective one. In this training example the effect of position in password selection is illustrated. Microsoft has updated its password hashing methods over time, but the LM hashing method often remains because of backward compatible features of newer Microsoft systems.

Training Samples to avoid.

Password Quality Notes
Crunchy Bad It is a word. 100,000 words can be tested in less than 0.03 seconds.
Crunchy! Bad The symbol "!" amounts to a second, single digit, password and will not last long.
CrunchyPretzel Bad "Pretzel" amounts to a second password, that is a word.

Why are these sample passwords at risk?

  • Each 7 places in a Microsoft LM password hash may be cracked separately.
  • These passwords show unfortunate placement problems in LM hashing protection.
Password Full Length Cracking Lengths First Half 1 2 3 4 5 6 7 Second Half 8 9 10 11 12 13 14
Crunchy 7 7 + 0 Crunchy C r u n c h y
Crunchy! 8 7 + 1 Crunchy C r u n c h y ! !
CrunchyPretzel 14 7 + 7 Crunchy C r u n c h y Pretzel P r e t z e l
  • LM hashing is only used by Microsoft for passwords of 14 places or less.
  • Longer passwords will not be subject to backward compatible hashing weakness.
  • By evading LM hashing, substantial improvements in cracking delay are added.
  • An extra password place beyond 14 can frustrate a cracking effort by millions of years by avoiding LM password hashing.
  • Such a plan can work even inside a network where shorter passwords are backward compatible to LM hashing.
  • Support and use of LM hashes can be turned off if no pre-Windows 2000 systems are in use.[19]

Guarding user passwords[編輯]

Computer users are generally advised "never write a password down anywhere, no matter what" and "never use a password for more than one account." These maxims, while sound in theory, ignore the reality that an ordinary computer user may have dozens of password-protected accounts. The multitude of accounts often ends up with users having the same password everywhere. A user's attempt to comply will often result in many forgotten passwords, even for important accounts.

If passwords are written down, they should never be kept in obvious places such as address books, Rolodex files, under drawers or keyboards or behind pictures. Perhaps the worst, but all too common, method is a note near the computer. Better locations are a safe deposit box or a locked file approved for information of comparable sensitivity to that protected by the password. Software is available for popular hand-held computers that can store passwords for numerous accounts in encrypted form. Another approach is to use a single password for low security accounts and select separate, strong passwords for a smaller number of high-value applications such as online banking. Manual or offline forms of this approach are also in use. For example, a phone directory may be used to keep a map between computer accounts and password hints.

The problem of password overload is quite real. Certain IT professionals may manage from 25 to 250 privileged passwords at any one time. In such cases, some safe storage area for password hints, private key or encrypting password become unavoidable.

At a 2005 security conference, an expert from Microsoft was quoted as saying: "I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."[20]

Whether it is worse to use weak passwords that are memorized or strong passwords that are written down can provoke fierce debate among experts. Practical security often requires balancing conflicting imperatives such as security requirements and human factors.

The problem was addressed in an interesting way by Steve Gibson during his "Security Now" podcasts with Leo Laporte; he suggested creating not a password, but a password algorithm that could be universally applied to a company name or other unique indicator. A simple algorithm, such as using every other letter from a name, would generate the password wkpda for a Wikipedia password; although this example is a fairly low-security password, minor variables to include numbers, capitalization and symbols can generate a password which is seemingly random, difficult or impossible to remember, but easy to re-generate at any time.

Rather than writing the passwords themselves, some write lists of cryptic clues to their own passwords that have relevance through personal experience. For example, if your favorite movie was Terminator and your cat's birthday was 2007-04-10 you could describe the password "terminator0410" as "Favorite movie cat is born without years".

In case that it may happen that you need to type the password while being abroad on a different PC, then consider that the PCs abroad may have a different keyboard layout than yours, and you should avoid passwords containing chars that are not present in other keyboard layouts.

Password discovery[編輯]

Passwords can be discovered by shoulder surfing, burglary, extortion, blackmail, threats, or other methods. Information diving is surprisingly fruitful for situations in which sensitive printed data is discarded with insufficient precaution; it is said to be part of the techniques which have produced the recent rise in identity theft. Approximate password length can be discovered even without shoulder surfing by simply counting keyboard clicks or noting finger motions. Research published by IBM in 2004 shows that each key on a keyboard has a distinctive acoustic signature, allowing keyed in data, including passwords, to be recovered by analyzing recordings from a covert listening device or "bug." See: Acoustic cryptanalysis.

Obtaining passwords by psychological manipulation of users is an example of social engineering. An attacker might telephone a user and say "Hi. Systems Control here. We're doing a security test. Can we have your password so we can proceed?" Systems administrators and other support staff will very rarely, if ever, need to know a user's password in order to perform their jobs. System administrators with "root" or superuser privileges can change the users' passwords without their permission, so they have no need whatsoever to ask for it. In addition, they will go out of their way not to ask for a password, precisely because they do not want to encourage the habit of giving passwords to anyone. Users do not generally appreciate that any of this is so, and are thus too often vulnerable to social engineering.

Password Betrayal is a method that takes advantage of a mixed mode technique. It uses the combined effect of differing strengths of password hashing and the habit of people to re-use the same password many times. A classic example of password betrayal would be a person re-using the same password on two independent computer systems. On one computer system the strong password is strongly protected. But on the other computer system the password protection is easily defeated. The under protected password is then re-used with other accounts known to belong to the same person. This password capture method can work even if the password is a strong or complex password choice.

Single sign-on solutions can be an advantage in reducing the risk of password betrayal. However, a person may access separate systems with differing password encryption strengths, password complexity rules, single sign-on product vendors and computer security vulnerabilities.

To help, a person can keep an index of which password is in use with multiple accounts. This strategy can mitigate this risk to some extent. The password use index allows the person to change groups of accounts with identical passwords as needed. But, a password use index should only contain password hints rather than direct password examples. Care should be taken to protect a password use index from easy duplication, sharing, exposure or capture.

註同攷[編輯]

  1. 因為黑客攞到其他人嘅個人信息有好多方法:例如買銀行卡數據將指定嘅人銀行卡入面啲餘額洗劫一空、相冊入面嘅「訪問要求密碼」被破解導致私人相被猛咁轉發到周圍都係、網盤密碼被破解導致檔案唔見咗或轉到第度……
  2. 呢啲密碼(包括近似字符堆)嘅安全性已經洩漏,唔好再用佢,費事點解會喺其它地方出現俾黑客破解咗嘅情況。
  1. 1.0 1.1 Bidwell, Teri (2002). Hack Proofing Your Identity in the Information Age. Syngress Publishing. 1931836515. 
  2. "100 'most dangerous' passwords to use in 2018". (原先內容喺2018年7月13號歸檔). 喺2018年7月7號搵到. 
  3. "25 'most dangerous' passwords to use in 2017". (原先內容喺2018年2月22號歸檔). 喺2018年7月7號搵到. 
  4. "A list of the most dangerous passwords". (原先內容喺2017年6月19號歸檔). 喺2018年7月7號搵到. 
  5. "Most common and dangerous passwords". (原先內容喺2015年4月5號歸檔). 喺2018年7月7號搵到. 
  6. As easy as 123456: the 25 worst passwords revealed
  7. "10 Most Dangerous Things To Do Online - Claremont Graduate University". (原先內容喺2017年9月9號歸檔). 喺2018年7月7號搵到. 
  8. "101 Data Protection Tips: How to Keep Your Passwords, Financial & Personal Information Safe". (原先內容喺2018年6月13號歸檔). 喺2018年7月7號搵到. 
  9. "75% of people think sharing passwords is dangerous but 55% still do it". (原先內容喺2017年7月18號歸檔). 喺2018年7月7號搵到. 
  10. "Your Birthday Is a Terrible Password". (原先內容喺2017年9月28號歸檔). 喺2018年7月7號搵到. 
  11. Most common and hackable passwords on the internet The Telegraph
  12. Hack Anyone's Wi-Fi Password Using a Birthday Card, Part 2 (Executing the Attack) 互聯網檔案館歸檔,歸檔日期2018年3月1號,. WONDER HOW TO
  13. "Please do NOT make a username and password the same.". (原先內容喺2018年3月4號歸檔). 喺2018年7月7號搵到. 
  14. Password cannot be same as Username and should not include "!" special character[失咗效嘅鏈]
  15. Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff
  16. Using Common Phrases Makes Your Passphrase Password Useless: Here’s How to Pick a Better Phrase 互聯網檔案館歸檔,歸檔日期2017年12月11號,. lifehacker
  17. The best password is a sentence, says expert CNN.com
  18. How secure are passwords made of whole english sentences 互聯網檔案館歸檔,歸檔日期2018年8月20號,. INFORMATION SECURITY
  19. How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
  20. Microsoft security guru: Jot down your passwords, News.com.com Retrieved on 2007-05-07

連出去[編輯]