为什么计算机响应错误的密码比响应正确的密码需要更长的时间？

您是否曾在计算机上意外输入错误的密码，并注意到与输入正确的密码相比，需要几分钟才能做出响应？为什么？今天的超级用户问答帖子回答了一位好奇的读者的问题。...

为什么计算机响应错误的密码比响应正确的密码需要更长的时间？

您是否曾在计算机上意外输入错误的密码，并注意到与输入正确的密码相比，需要几分钟才能做出响应？为什么？今天的超级用户问答帖子回答了一位好奇的读者的问题。

今天的问答环节是由SuperUser提供的，SuperUser是Stack Exchange的一个分支，是一个由社区驱动的问答网站分组。

屏幕截图由sully213（Flickr）提供。

问题

超级用户阅读器user3536548想知道为什么输入错误密码时响应时间更长：

When you enter a password and it is correct, the resp***e time is practically instantaneous. But when you enter an incorrect password (by accident or having forgotten the correct one), it takes a while (10-30 seconds) before it responds that the password is incorrect.

Why does it take so long (relatively) to say that the password is incorrect? This has always bugged me when entering incorrect passwords on Windows and Linux systems (regular and VM-based). I am not sure about Mac OSX since I cannot remember if it is the same (it has been a while since I last used a Mac).

I am asking in the context of a user logging in to the system physically on location rather than through SSH which could conceivably use somewhat different mechani**s to log in (validate credentials).

为什么输入错误的密码会有较长的响应时间？

答案

超级用户贡献者Michael Kjorling为我们提供了答案：

Why does it take so long (relatively) to say that the password is incorrect?

It does not. Or rather, it does not take the computer any longer to determine that your password is incorrect compared to it being correct. The work involved for the computer is, ideally, exactly the same. Any password verification scheme that takes a different amount of time based on whether the password is correct or incorrect can be exploited to gain knowledge, however **all, of the password in less time than would otherwise be the case.

The delay is an artificial delay to make repeatedly trying to gain access by using different passwords infeasible, even if you have some idea of what the password is and automatic account lockout is disabled (which it should be in most scenarios as it would otherwise allow for a trivial denial of service against an arbitrary account).

The general term for this behavior is tarpitting. While the Wikipedia article talks more about network service tarpitting, the concept is generic. The Old New Thing is not an official source either, but the article “Why does it take longer to reject an invalid password than to accept a valid one?” does talk about this (near the end of the article).

有什么要补充的解释吗？在评论中发出声音。想从其他精通技术的Stack Exchange用户那里了解更多答案吗？在这里查看完整的讨论主题。