我应该对密码施加最大长度吗? [英] Should I impose a maximum length on passwords?
问题描述
我可以理解对密码施加最小长度很有意义(以保护用户免受其害),但我的银行要求密码长度在 6 到 8 个字符之间,并且我开始怀疑...
- 这不会让蛮力攻击更容易吗?(坏)
- 这是否意味着我的密码未加密存储?(坏)
如果有人(希望)有一些优秀的 IT 安全专业人员为他们工作,他们正在强加最大密码长度,我是否应该考虑做类似的事情?这有什么优点/缺点?
密码被散列为 32、40、128,无论长度如何.最小长度的唯一原因是防止容易猜到密码.没有最大长度的目的.
强制性的
I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering...
- Wouldn't this just make it easier for brute force attacks? (Bad)
- Does this imply that my password is being stored unencrypted? (Bad)
If someone with (hopefully) some good IT security professionals working for them are imposing a max password length, should I think about doing similar? What are the pros/cons of this?
Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.
The obligatory XKCD explaining why you're doing your user a disservice if you impose a max length:
这篇关于我应该对密码施加最大长度吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!