為什麼計算機響應錯誤的密碼比響應正確的密碼需要更長的時間?
您是否曾在計算機上意外輸入錯誤的密碼,並注意到與輸入正確的密碼相比,需要幾分鐘才能做出響應?為什麼?今天的超級使用者問答帖子回答了一位好奇的讀者的問題。
今天的問答環節是由SuperUser提供的,SuperUser是Stack Exchange的一個分支,是一個由社群驅動的問答網站分組。
螢幕截圖由sully213(Flickr)提供。
問題
超級使用者閱讀器user3536548想知道為什麼輸入錯誤密碼時響應時間更長:
When you enter a password and it is correct, the resp***e time is practically instantaneous. But when you enter an incorrect password (by accident or having forgotten the correct one), it takes a while (10-30 seconds) before it responds that the password is incorrect.
Why does it take so long (relatively) to say that the password is incorrect? This has always bugged me when entering incorrect passwords on Windows and Linux systems (regular and VM-based). I am not sure about Mac OSX since I cannot remember if it is the same (it has been a while since I last used a Mac).
I am asking in the context of a user logging in to the system physically on location rather than through SSH which could conceivably use somewhat different mechani**s to log in (validate credentials).
為什麼輸入錯誤的密碼會有較長的響應時間?
答案
超級使用者貢獻者Michael Kjorling為我們提供了答案:
Why does it take so long (relatively) to say that the password is incorrect?
It does not. Or rather, it does not take the computer any longer to determine that your password is incorrect compared to it being correct. The work involved for the computer is, ideally, exactly the same. Any password verification scheme that takes a different amount of time based on whether the password is correct or incorrect can be exploited to gain knowledge, however **all, of the password in less time than would otherwise be the case.
The delay is an artificial delay to make repeatedly trying to gain access by using different passwords infeasible, even if you have some idea of what the password is and automatic account lockout is disabled (which it should be in most scenarios as it would otherwise allow for a trivial denial of service against an arbitrary account).
The general term for this behavior is tarpitting. While the Wikipedia article talks more about network service tarpitting, the concept is generic. The Old New Thing is not an official source either, but the article “Why does it take longer to reject an invalid password than to accept a valid one?” does talk about this (near the end of the article).
有什麼要補充的解釋嗎?在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎?在這裡檢視完整的討論主題。
- 發表於 2021-04-10 19:30
- 閱讀 ( 31 )
- 分類:網際網路
你可能感興趣的文章
破解密碼最常用的8個技巧
... 首先在常見的密碼駭客戰術指南是字典攻擊。為什麼叫字典攻擊?因為它會根據密碼自動嘗試定義的“字典”中的每個單詞。嚴格說來,這本字典不是你在學校用的那本。 ...
有史以來最可笑的12個錯誤
...別擔心!我們只是想嚇唬你——讓你知道一切都很成功。為什麼一開始就有一個關於成功的資訊框呢? ...
為什麼密碼安全問題回答錯了
...問題的辦法。如果攻擊者正在尋找與您直接相關的答案,為什麼不使用完全不同的答案呢? ...
忘了你的iphone或ipad密碼?下面是如何重置密碼!
... 錯誤訊息是什麼意思? ...
5個避免工作中安全漏洞的資料處理技巧
... 每個人都聽說你不應該分享你的密碼。但很容易理解為什麼它仍然發生。也許你生病在家,同事需要你電腦上的資訊。或者你的老闆想在你休假時檢視你的電子郵件。更不用說把密碼寫在便箋上並貼在螢幕上是多麼常見。 ...
5個密碼工具,用於建立強密碼短語和更新安全性
... 最好的密碼管理器是什麼? ...
強隨機密碼的5個最佳線上密碼生成器
...較容易,因為密碼比較少。長密碼本身就很強大。這就是為什麼有些服務使用密碼短語而不是密碼。所有額外的字元增加了額外的困難。 ...
如何使用veracrypt加密和保護您的資料和檔案
... 什麼是真隱窩(veracrypt)? ...
如何在windows 10中更改wi-fi密碼
... 當你在這裡的時候,為什麼不選擇一個新的有趣的Wi-Fi名字(稱為SSID)讓你的鄰居笑一笑呢?你必須使用新的網路名稱重新連線你的所有裝置,但是如果你一直使用通用的預設名稱,那會很有...
android上wi-fi認證錯誤的8個修復
...。較新的作業系統版本經常會修補舊版本的錯誤,這就是為什麼讓你的Android**保持最新是很重要的。 ...
