尝试次数蛮力平均口令/非侵入性却有意义的限制？ [英] Number of attempts to brute force an average password / non intrusive yet meaningful limits?

问题描述

有对SO有关野蛮的prevention迫使网络服务的密码，通过应用限制了一些有用的答案。我找不到什么好的号码，虽然我没有什么这方面的人才，所以问题是：

There are several useful answers on SO regarding prevention of brute forcing a password of a web service by applying throttling. I couldn't find any good numbers though and I have little expertise in this area, so the question is:

多少尝试它通常采取暴力破解的6个或更多字符的平均密码（没有额外的知识，可以帮助，但考虑到该密码可能是容易字典攻击），并此基础上，有什么是有意义的限制适用于调节算法，而不破坏用户体验？

How many attempts does it usually take to brute-force an average password of 6 or more characters (with no additional knowledge that may help, but taking into account that passwords are probably prone to dictionary attacks) and based on that, what are meaningful limits to apply to the throttling algorithm without disrupting the user experience?

这是我目前的计划：

• 登录表单使用一个随机数，因此，攻击者必须等待一个完整的请求周期来完成，以得到两者登录尝试的结果，并且检索新令牌。
• <德尔>我允许登录表单中检索每个IP 50倍小于请求之间一分钟，之后该IP将被阻止为1分钟。在此1分钟任何新的尝试将重新启动超时。
• 有一个睡眠申请了＃尝试登录页面的每个读取/ 5 ，打完5请求与请求之间不到一分钟，它会采取> 1秒读取的形式，经过10个请求> 2秒，等等。
• 另外，我只允许每个用户帐户100失败的登录尝试与努力之间的2个小时，之后该帐户被封锁2小时。
• 要避免账号，IP地址可以被列入白名单的频繁DoS'ing（没有限制适用）或列入黑名单（任何登录尝试完全忽略）。

• The login form uses a nonce, so the attacker has to wait for a complete request cycle to complete to both get the result of the login attempt and retrieve a new token.
• I allow the login form to be retrieved 50 times per IP with less than a minute between requests, after that the IP will be blocked for 1 minute. Any new attempts within this one minute will restart the timeout.
• There's a sleep applied for each fetching of the login page of # of attempts / 5, so after 5 requests with less than a minute between requests it'll take > 1 second to fetch the form, after 10 requests > 2 seconds, etc.
• Additionally, I'm only allowing 100 failed login attempts per user account with 2 hours between attempts, after that the account is blocked for 2 hours.
• To avoid frequent DoS'ing of accounts, IPs can be whitelisted (no limits applied) or blacklisted (any login attempt ignored completely).

根据答案，到目前为止，我已经调整了它的工作是这样的：

• 检索登录表单逐渐减慢对每个IP的基础。每一个新的请求睡了＃请求/ 2 秒。 10分钟没有登录活动后，计数器复位。
• 我保持登录尝试为每个IP的FIFO堆栈。如果IP未能在2小时内登陆30次，它的暂停。我还保持每个IP混悬剂的数目的列表，并将该悬浮时间被计算为 2 ^（＃混悬液+ 1）小时。这将导致快速事实上的黑名单不断得罪IP地址的。
• 此外，如果一个帐户登录失败在20次在一天之内它被暂停2小时。我不是太肯定这一措施还没有，因为这意味着帐户可以很容易地DoS'd。短大规模分布式僵尸网络，虽然，得罪IP地址应该成为事实上的黑名单比一个帐户快可永久DoS'd。这也是一个相当有效的措施保护账户。

• Retrieving the login form is progressively slowed down on a per IP basis. Each new request is slept for # of requests / 2 seconds. The counter is reset after 10 minutes of no login activity.
• I'm keeping a FIFO stack of login attempts for each IP. If an IP fails to log in 30 times within 2 hours, it's suspended. I'm also keeping a list of number of suspensions per IP, and the suspension time is calculated as 2 ^ (# of suspensions + 1) hours. This should lead to a rapid de facto blacklisting of continually offending IPs.
• Additionally, if an account failed to log in 20 times within one day it's being suspended for 2 hours. I'm not too sure about this measure yet, since this means accounts can be DoS'd quite easily. Short of a massive distributed botnet though, offending IPs should become de facto blacklisted faster than an account can be permanently DoS'd. It's also quite an effective measure to protect an account.

我觉得这些限制应该不会伤害正常的用户，甚至是那些经常忘记了自己的密码尝试登录了好几次。该IP限制也应该还好有大量NAT映射的用户，考虑到服务的平均规模。有人能证明这是有效的或低效的一些坚实的数学？ ：）

I think these limits should not harm normal users, even ones that regularly forget their password and try to log in several times. The IP limits should also work okay with heavily NAT'ed users, given the average size of the service. Can somebody prove this to be efficient or inefficient with some solid math? :)

推荐答案

从这个问题听起来好像最快的他们可能尝试的密码是50每分钟。在此基础上，用随机的6位密码：

From the question it sounds like the fastest they could possibly try passwords is 50 per minute. Based on that and using random 6 digit passwords:

• 全部小写：26的6次方= 308915776可能的密码=的最坏的情况下12年 6年平均
• 小写字母和数字：36的6次方=的82年最大 41年平均

• all lower case: 26^6 = 308,915,776 possible passwords = worst case 12 years, 6 years on average
• lower case and numbers: 36^6 = 82 years max, 41 years on average

当然，字典攻击就会快很多，但我没有号码的。

Of course, dictionary attacks would be much faster, but I don't have the numbers for that.

编辑：我试图联系谷歌计算器的结果支持这件事，但 ^ 似乎弄糟环节就到这里。

I tried to link Google calculator results backing this up, but ^ seems to mess up links on here.

EDIT2：

字典攻击（从 http://www.outpost9.com/files/WordLists.html ）：

• 在所有上市字（75,000）：约1天
• 816常用的密码列表：〜16分钟
• 在很长的单词列表：〜12天（我看着这一点，我猜它包含了大部分非技术人员的密码）

• all listed words (75,000): ~1 day
• list of 816 common passwords: ~16 minutes
• really long word list: ~12 days (I looked at this and I'm guessing it contains most non-technical people's passwords)

最后一个是吓人的，但有12天仍然很长一段时间。如果你真的很担心，你可以直到用户得到一个正确的密码，那么如果该列表获取到对像100不同的尝试，只是禁止的IP地址，并发送电子邮件到用户跟踪每一个不正确的密码。

The last one is scary, but 12 days is still a long time. If you're really worried, you could track every incorrect password until the user gets a correct password, then if the list gets to over like 100 different attempts, just ban the IP address and send an email to the user.

这篇关于尝试次数蛮力平均口令/非侵入性却有意义的限制？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！