您是否曾在计算机上意外输入错误的密码,并注意到与输入正确的密码相比,需要几分钟才能做出响应?为什么?今天的超级用户问答帖子回答了一位好奇的读者的问题。
今天的问答环节是由SuperUser提供的,SuperUser是Stack Exchange的一个分支,是一个由社区驱动的问答网站分组。
屏幕截图由sully213(Flickr)提供。
超级用户阅读器user3536548想知道为什么输入错误密码时响应时间更长:
When you enter a password and it is correct, the resp***e time is practically instantaneous. But when you enter an incorrect password (by accident or having forgotten the correct one), it takes a while (10-30 seconds) before it responds that the password is incorrect.
Why does it take so long (relatively) to say that the password is incorrect? This has always bugged me when entering incorrect passwords on Windows and Linux systems (regular and VM-based). I am not sure about Mac OSX since I cannot remember if it is the same (it has been a while since I last used a Mac).
I am asking in the context of a user logging in to the system physically on location rather than through SSH which could conceivably use somewhat different mechani**s to log in (validate credentials).
为什么输入错误的密码会有较长的响应时间?
超级用户贡献者Michael Kjorling为我们提供了答案:
Why does it take so long (relatively) to say that the password is incorrect?
It does not. Or rather, it does not take the computer any longer to determine that your password is incorrect compared to it being correct. The work involved for the computer is, ideally, exactly the same. Any password verification scheme that takes a different amount of time based on whether the password is correct or incorrect can be exploited to gain knowledge, however **all, of the password in less time than would otherwise be the case.
The delay is an artificial delay to make repeatedly trying to gain access by using different passwords infeasible, even if you have some idea of what the password is and automatic account lockout is disabled (which it should be in most scenarios as it would otherwise allow for a trivial denial of service against an arbitrary account).
The general term for this behavior is tarpitting. While the Wikipedia article talks more about network service tarpitting, the concept is generic. The Old New Thing is not an official source either, but the article “Why does it take longer to reject an invalid password than to accept a valid one?” does talk about this (near the end of the article).
有什么要补充的解释吗?在评论中发出声音。想从其他精通技术的Stack Exchange用户那里了解更多答案吗?在这里查看完整的讨论主题。
... 将设备连接到以前同步的计算机。 打开iTunes。如果iTunes允许您进入而不提示输入密码,您可以继续。但是,如果提示您输入密码,请尝试将您的设备连接到您可能已同步的另一台计...
...钮。但这样也可以方便地访问您的卷,并向可能访问您的计算机的其他人显示它们的位置。 ...
...误修复。该更新于2021年2月3日上线,应该可以通过Windows10计算机上的WindowsUpdate获得。 ...
使用fail2ban,您的Linux计算机会自动阻止连接失败过多的IP地址。这是自我调节的安全!我们会教你怎么使用它。 安全 温莎公爵夫人沃利斯·辛普森(Wallis Simpson)曾说过一句名言:“你永远不能太富有或太瘦。”我们为我们这...
...常见网络实用程序,但是还有许多其他端口扫描工具。 为什么人们要进行端口扫描? 端口扫描有助于确定系统的漏洞。端口扫描会告诉攻击者系统上哪些端口是打开的,这有助于他们制定攻击计划。例如,如果检测到安全Shell...
... WPA2-PSK可能还有其他我们尚未发现的安全漏洞。那么,为什么我们一直说WPA2是保护您的网络的最佳方式呢?好吧,因为它仍然是。启用WPA2,禁用旧的WEP和WPA1安全性,并设置一个合理的长而强的WPA2密码,是真正保护自己的最好...
...。还有一种优先级较低的模式,它更频繁地中断解析器以响应输入事件。甚至在Mozillazine也有记录。 我们能做的就是调整Firefox从低优先级模式切换回高优先级模式之前的时间。 类型关于:配置到Firefox地址栏,然后按以下内容筛...
下次你被迫输入密码时,特别是当网站要求你使用大写字母和小写字母、数字或符号的疯狂组合时,不要假设这些试图混淆的尝试会自动地意味着密码是不可思议的和安全的。Webroot的高级安全分析师randyabrams进行了一些简单的测...