为什么检查错误的密码比检查正确的密码要花更长的时间? [英] Why should checking a wrong password take longer than checking the right one?

问题描述

这个问题一直困扰着我.

This question has always troubled me.

在 Linux 上，当要求输入密码时，如果您的输入正确，它会立即检查，几乎没有延迟.但是，另一方面，如果您输入了错误的密码，则需要更长的时间来检查.这是为什么呢?

On Linux, when asked for a password, if your input is the correct one, it checks right away, with almost no delay. But, on the other hand, if you type the wrong password, it takes longer to check. Why is that?

我在我尝试过的所有 Linux 发行版中都观察到了这一点.

I observed this in all Linux distributions I've ever tried.

推荐答案

其实是为了防止暴力破解每秒尝试数百万个密码.这个想法是限制检查密码的速度，并且应该遵循一些规则.

It's actually to prevent brute force attacks from trying millions of passwords per second. The idea is to limit how fast passwords can be checked and there are a number of rules that should be followed.

• 成功的用户/密码对应该立即成功.
• 应该没有可以检测到的失败原因有明显差异.

• A successful user/password pair should succeed immediately.
• There should be no discernible difference in reasons for failure that can be detected.

最后一个特别重要.这意味着没有有用的消息，例如:

That last one is particularly important. It means no helpful messages like:

Your user name is correct but your password is wrong, please try again

或:

Sorry, password wasn't long enough

无效用户和密码"和有效用户但无效密码"失败原因之间甚至没有响应的时间差.

Not even a time difference in response between the "invalid user and password" and "valid user but invalid password" failure reasons.

每一个失败都应该提供完全相同的信息，无论是文本的还是其他的.

Every failure should deliver exactly the same information, textual and otherwise.

有些系统更进一步，每次失败都会增加延迟，或者只允许三个失败然后在允许重试之前有很大的延迟.

Some systems take it even further, increasing the delay with each failure, or only allowing three failures then having a massive delay before allowing a retry.

这篇关于为什么检查错误的密码比检查正确的密码要花更长的时间?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！