我应该在密码上加上最大长度吗? [英] Should I impose a maximum length on passwords?
问题描述
我可以理解,对密码施加最小长度很有意义(为了自己保存用户),但是我的银行要求密码长度在6到8个字符之间,而我开始怀疑...
- 这不会使暴力攻击更容易吗? (坏)
- 这是否意味着我的密码是未加密的? (坏)
如果有人(希望)有一些良好的IT安全专业人士为他们工作,则会施加最大密码长度,我应该认为做同样的事情这是什么利弊?
密码是散列到32,40,128,无论长度。最小长度的唯一原因是防止容易猜到密码。最大长度没有目的。
强制性
I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering...
- Wouldn't this just make it easier for brute force attacks? (Bad)
- Does this imply that my password is being stored unencrypted? (Bad)
If someone with (hopefully) some good IT security professionals working for them are imposing a max password length, should I think about doing similar? What are the pros/cons of this?
Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length.
The obligatory XKCD explaining why you're doing your user a disservice if you impose a max length:
这篇关于我应该在密码上加上最大长度吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!