GitHub如何知道我的密码很弱? [英] How does GitHub know I have a weak password?

问题描述

今天，当我尝试推送代码时，我已经收到此消息:

I have received this message today when I tried to push my code:

remote: Weak credentials. Please Update your password to continue using GitHub.
remote: See https://help.github.com/articles/creating-a-strong-password/.

他们怎么知道我使用弱密码，因为他们只存储密码哈希?

How do they know I used a weak password since they only store the password hash?

推荐答案

是的，您的理解是正确的. 当您输入密码登录，创建帐户或更改密码时，GitHub会根据诸如HaveIBeenPwned之类的数据集来检查您输入的密码是否被认为是弱密码.即使您以前从未使用过该密码，也可能将其标识为弱密码.

Yes, your understanding is correct. When you type a password to sign in, create an account, or change your password, GitHub will check if the password you entered is considered weak according to datasets like HaveIBeenPwned. The password may be identified as weak even if you have never used that password before.

GitHub仅在您键入密码时检查密码，而不会以明文形式存储您输入的密码.

GitHub only inspects the password at the time you type it, and never stores the password you entered in plaintext.

以下可能的实现方式:

1. 使用有效凭据的用户登录.

1. User login using valid credentials.

在对密码进行哈希处理之前检查密码是否安全: 根据 https://haveibeenpwned.com/的密码API来检查密码SHA-1哈希.

Checks if the password is secure before hashing it: Checks the password SHA-1 hash against the Passwords API of https://haveibeenpwned.com/.

如果密码不安全，则可以将二进制切换存储为用户字段.

If the password is insecure, it can store a binary toggle as a user field.

如果用户设置了该二进制切换，请在每个页面上显示一条警告，并提示他们更改密码

If the user has that binary toggle set, show a warning on EVERY page and nudge them towards changing the password

这篇关于GitHub如何知道我的密码很弱?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！