为什么要检查错误的密码需要比检查右边的长？ [英] Why should checking a wrong password take longer than checking the right one?

问题描述

这个问题始终困扰着我。

This question has always troubled me.

在Linux上，当要求输入密码，如果您的输入是正确的，它会检查右走，几乎没有延迟。但是，在另一方面，如果你键入了错误的密码，它需要更长的时间来检查。这是为什么？

On Linux, when asked for a password, if your input is the correct one, it checks right away, with almost no delay. But, on the other hand, if you type the wrong password, it takes longer to check. Why is that?

我我曾经尝试了所有 Linux发行观察到这种

I observed this in all Linux distributions I've ever tried.

推荐答案

这实际上是为prevent蛮力攻击试图从每秒数百万密码。我们的想法是，以限制密码的速度有多快，可以检查并有许多的应遵循的规则。

It's actually to prevent brute force attacks from trying millions of passwords per second. The idea is to limit how fast passwords can be checked and there are a number of rules that should be followed.

• 成功的用户/密码应立即成功。


• 应该有的没有的的原因是可以检测到的故障明显的差异。

• A successful user/password pair should succeed immediately.
• There should be no discernible difference in reasons for failure that can be detected.

这最后一个是特别重要的。这意味着像没有有用信息：

That last one is particularly important. It means no helpful messages like:

Your user name is correct but your password is wrong, please try again

或

Sorry, password wasn't long enough

甚至在无效的用户名和密码和有效用户，但密码无效失败的原因之间的响应时间差。

Not even a time difference in response between the "invalid user and password" and "valid user but invalid password" failure reasons.

的每个的故障应提供完全相同的信息，文本和其他。

Every failure should deliver exactly the same information, textual and otherwise.

有些系统甚至会更进一步，增加了延迟与每个故障，或只允许再允许重试前，有一个巨大的延迟三次失败。

Some systems take it even further, increasing the delay with each failure, or only allowing three failures then having a massive delay before allowing a retry.

这篇关于为什么要检查错误的密码需要比检查右边的长？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！