如何计算密码复杂度 [英] How to calculate password complexity

问题描述

某些应用程序(或网站)会在您键入密码时计算出密码的复杂程度.

Some applications (or websites) compute a password's complexity as you type.

它们通常显示一个红色的条形，该条形先变为橙色，然后变为绿色，然后随着您的密码变长而变绿，并且包含更多类的字符(例如，小写，大写，标点符号，数字).

They typically display a red bar which turns orange, then green, then even greener as your password gets longer, and contains more classes of characters (e.g., lowercase, uppercase, punctuation, digits).

如何可靠地计算密码的复杂度?

我想出了以下算法，但令我感到担忧的是，由于它只有7个字符，因此将Password1!评级为非常强"，将]@feé:m评级为弱".

I've come up with the following algorithm, but I'm concerned by the fact that it rates Password1! as "very strong" and ]@feé:m as "weak" because it's only 7 characters long.

private int GetPasswordComplexity(string password)
{
    if (password.Length <= 4)
        return 1;

    int complexity = 0;

    int digit = 0;
    int letter = 0;
    int cap = 0;
    int other = 0;

    for (int i = 0; i < password.Length; i++)
    {
            if (char.IsDigit(password[i]) && i!=password.Length-1)
            digit = 1;
        else if (char.IsLower(password[i]))
            letter = 1;
        else if (char.IsUpper(password[i]) && i!=0)
            cap = 1;
        else
            other = 1;
    }

    complexity = digit + letter + cap + other;

    if (password.Length <= 7)
        complexity = Math.Min(3, complexity);

    return complexity;
}

推荐答案

如果有足够的时间检查所有可能的规则，那么使用cracklib之类的东西非常有用.如果您只想快速进行操作(例如使用基于JavaScript的强度计)，则可以考虑估计蛮力攻击所需的潜在猜测次数.对于看到的每种字符类型，根据该类型潜在字符的数量更新乘数.因此，如果只有数字，则乘数将为10.如果只有小写字母，则乘数将为26.如果同时有小写，则乘数将为36-即对于密码中的每个字符，将进行蛮力攻击最多需要尝试36个不同的字符.包含大小写字符，数字和标点符号的密码的乘数为10 + 26 + 26 + 32 = 94(或多或少取决于允许的标点符号).

Using something like cracklib is very good if you can afford the time of checking against all of the potential rules. If you just want something quick -- say for a javascript-based strength meter -- then consider estimating the number of potential guesses that would be required for a brute force attack. For every character type seen update a multiplier based on the number of potential characters of that type. So if you have only digits, then the multiplier would be 10. If you have only lowercase, then the multiplier is 26. If both, then the multiplier is 36 -- that is for each character in the password, a brute force attack would need to try up to 36 different characters. A password containing both upper and lowercase characters, digits, and punctuation, then would have a multiplier of 10 + 26 + 26 + 32 = 94 (more or less depending on the allowable punctuation).

要估算暴力破解方法可能需要的最大排列数，请将乘数提高到等于密码中位数的幂.这样，您便可以利用蛮力攻击最大程度地猜测密码.假设每个猜测都花费一个cpu周期，并且在给定最快数量的排列的情况下，给定最快的处理器，计算出破解密码所需的时间.例如，如果我的乘数为10，密码长度为10个字符，那么我将有10,000,000,000个潜在的组合.在3GHz处理器上，这应该花费10/3 * k或3k秒(其中k是每次猜测的周期数，通常很小).显然，这是一个弱密码.

To estimate the maximum number of permutations a brute force method would take, raise the multiplier to the power equal to the number of digits in the password. This gives you then maximum number of guesses it would take to break the password using a brute force attack. Assume that each guess takes one cpu cycle and given the fastest processor calculate how long it would take to break a password given a certain number of permutations. For example, if my multiplier was 10 and the password was 10 characters long, then I would have 10,000,000,000 potential combinations. On 3GHz processor, this ought to take 10/3 * k or 3k seconds (where k is the number of cycles per guess, typically small). Clearly, this is a weak password.

现在，建立一些代表合理密码强度的范围.例如，如果您认为中等强度最低要求使用带有大小写字符的8个字符的密码，那么在3GHz处理器上，截止时间将为52 ^ 8或大约1.5年(假设k = 1).如果加上数字，则在3GHz处理器上的截止日期变为62 ^ 8或大约8年.

Now, establish some ranges that represent reasonable password strengths. For example, if you think that an 8 character password with upper and lowercase characters is minimally required for medium strength, then your cutoff would be 52^8 or approximately 1.5 years on a 3GHz processor (assuming k = 1). If you add in digits, then the cutoff becomes 62^8 or approximately 8 years on 3GHz processor.

要使用它，则只需跟踪看到的字符种类，构造适当的乘法器，根据密码长度计算预期的排列，然后将其与预定义的临界值进行比较即可确定密码的强度有.

To put it in use, then you only need keep track of which kinds of characters you see, construct the appropriate multiplier, calculate the expected permutations based on password length, and compare it against your predefined cutoffs to determine what strength the password has.

这篇关于如何计算密码复杂度的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！