是否使用GUID安全性(虽然晦涩难懂)? [英] Is using a GUID security though obscurity?

问题描述

如果您将GUID用作面向公众的应用程序的密码，以作为访问服务的一种手段，那么这种安全性是不是很默默无闻?

If you use a GUID as a password for a publicly facing application as a means to gain access to a service, is this security through obscurity?

我认为显而易见的答案是肯定的，但是由于我猜测GUID的几率非常低，因此安全级别对我来说似乎很高?

I think the obvious answer is yes, but the level of security seems very high to me since the chances of guessing a GUID is very very low correct?

更新

GUID将存储在设备中，插入后将通过SSL连接通过GUID发送.

The GUID will be stored in a device, when plugged in, will send over the GUID via SSL connection.

也许我可以生成一个GUID，然后在GUID上执行AES 128位加密并将该值存储在设备上?

Maybe I could generate a GUID, then do a AES 128 bit encrption on the GUID and store that value on the device?

推荐答案

在我看来，答案是否定的.

In my opinion, the answer is no.

如果将密码设置为新创建的GUID，则它是一个相当安全的密码:超过8个字符，包含数字，字母和特殊字符等.

If you set a password to be a newly created GUID, then it is a rather safe password: more than 8 charcters, contains numbers, letters ans special characters, etc.

当然，在GUID中，'{'，'}'和'-'的位置是已知的，并且所有字母均为大写.因此，只要没人知道您使用的是GUID，密码就很难破解.一旦攻击者知道他正在寻找GUID，就可以减少暴力攻击所需的精力.从这个角度来看，这是默默无闻的安全性.

Of course, in a GUID the position of '{', '}' and '-' are known, as well as the fact that all letters are in uppercase. So as long as nobody knows that you use a GUID, the password is harder to crack. Once the attacker knows that he is seeking a GUID, the effort needed for a brute force attack reduces. From that point of view, it is security by obscurity.

仍然，请考虑以下GUID:{91626979-FB5C-439A-BBA3-7715ED647504}如果假设攻击者知道特殊字符的位置，则他的问题将归结为找到字符串91626979FB5C439ABBA37715ED647504.蛮力强行输入32个字符的密码?如果有人发明了能工作的量子计算机，它只会在你的一生中发生.

Still, consider this GUID: {91626979-FB5C-439A-BBA3-7715ED647504} If you assume the attacker knows the position of the special characters, his problem is reduced to finding the string 91626979FB5C439ABBA37715ED647504. Brute forcing a 32 characters password? It will only happen in your lifetime, if someone invents a working quantum computer.

这是通过使用非常长的密码而不是默默无闻的来实现的.

This is security by using a very, very long password, not by obscurity.

阅读Denis Hennessy的答案后，我必须修改答案.如果GUID确实以可解密的形式包含此信息(特别是mac地址)，则攻击者可以大大减少密钥空间.在那种情况下，这肯定是默默无闻的安全性，请阅读:不安全的.

After reading the answer of Denis Hennessy, I have to revise answer. If the GUID really contains this info (specifically the mac address) in a decryptable form, an attacker can reduce the keyspace considerably. In that case it would definitely be security by obscurity, read: rather insecure.

当然MusiGenesis是正确的:有很多工具可以生成(伪)随机密码.我的建议是坚持使用其中一种.

And of course MusiGenesis is right: there are lots of tools that generate (pseudo) random passwords. My recommendation is to stick with one of those.

这篇关于是否使用GUID安全性(虽然晦涩难懂)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！