Šodienas jautājumu un atbilžu sesija mums priecājas par SuperUser - Stack Exchange dalību, Q & A tīmekļa vietņu kopienas diskusiju grupu.
Jautājums
SuperUser lasītājs Michael McGowan ir ziņkārīgs, cik lielā mērā sasniedz vienu paroles pārrāvuma ietekmi; viņš raksta:
Suppose a user uses a secure password at site A and a different but similar secure password at site B. Maybe something like
mySecure12#PasswordA
uz vietas A un
mySecure12#PasswordB
vietā B (jēdziet izmantot citu "līdzības" definīciju, ja tas ir jēga).
Pieņemsim, ka vietnes A parole kaut kā tiek apdraudēta … varbūt vietnes A ļaunprātīgs darbinieks vai drošības noplūde. Vai tas nozīmē, ka arī vietnes B parole ir tikusi apdraudēta, vai šajā kontekstā nav tādas lietas kā "paroli līdzība"? Vai ir kāda atšķirība, vai kompromiss vietnē A bija vienkārša teksta noplūde vai izmainīta versija?
Vai Michael jāuztraucas, ja viņa hipotētiskā situācija nāks?
Atbilde
SuperUser atbalstītāji palīdzēja noskaidrot jautājumu par Michael. Superuser palīdzētājs Queso raksta:
To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
Cits superuseris autors Michael Trausch paskaidro, kā lielākajā daļā gadījumu hipotētiskā situācija nav daudz iemeslu bažām:
To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
Ja jūs uztraucaties, ka pašreizējais paroļu saraksts nav daudzveidīgs un nejaušs, mēs ļoti iesakām izlasīt mūsu visaptverošo paroles drošības rokasgrāmatu: Kā atgūt jūsu e-pasta paroli. Pārstrādājot savus paroles sarakstus tā, it kā visu paroļu, e-pasta paroli, māte būtu apdraudēta, ir viegli ātri panākt, lai jūsu paroli būtu ātri.
Vai kaut ko pievienot paskaidrojumam? Skatieties komentāros. Vēlaties lasīt citas atbildes no citiem tehnoloģiju savvy Stack Exchange lietotājiem? Šeit skatiet pilnu diskusiju pavedienu.
