首页 > 分享 > 派特宠物街安全吗？

派特宠物街安全吗？

萌宠菠菠乐园
2025-01-08 23:39

Have you ever wondered why exactly it is so important to have 1 uppercase, 1 lowercase, 1 symbol, 1 number, and at least 8 characters in a password? Is MyDogZuma1! really all that much more secure than mydogzuma?

您是否曾经想过为什么在密码中包含1个大写字母，1个小写字母，1个符号，1个数字以及至少8个字符如此重要的原因呢？是MyDogZuma1! 真的比mydogzuma安全得多吗？

As a matter of fact, it is — based on a required minimum of 8 characters in a password and using all lowercase letters, it would take a hacker using brute force a maximum of 5.6383307e+12 attempts to figure out mydogzuma. This may sound like a lot, but “a lot” is relative. Sure, back in the day when computers were only a fraction as powerful as they are now, it may have been enough. But in today’s world, that is no match for a determined hacker with powerful tech.

实际上，它是基于密码(至少要求使用8个字符并使用所有小写字母)，黑客使用蛮力最多需要5.6383307e + 12次尝试才能找出mydogzuma 。这听起来可能很多，但“很多”是相对的。当然，在如今计算机仅是现在的一小部分的情况下，它可能已经足够了。但是在当今世界，这对于拥有强大技术的坚定黑客是无法匹敌的。

In contrast, it would take the same hacker a maximum of 2.7335788e+20 attempts to figure out MyDogZuma1! as a password. Based on these numbers (somewhat approximated with some assumptions), MyDogZuma1! is roughly 48,482,057 times more secure than mydogzuma.

相比之下，同一位黑客最多需要2.7335788e + 20次尝试才能找出MyDogZuma1！作为密码。基于这些数字(有些假设的近似值)， MyDogZuma1！ 比mydogzuma安全大约48,482,057倍 。

我们如何到达48,482,057？ (How Did We Arrive at 48,482,057?)

We arrived at this number through some rather simple math. If you think back to whatever senior high school / freshman college math you had to take, you may remember learning about probability and combinations. You remember those questions: “If I have a bag with 5 white marbles, 10 blue marbles, and 20 black marbles, what is the probability that by selecting 3 marbles, I will select one of each?”

我们通过一些相当简单的数学得出了这个数字。如果您回想一下必须修读的高中/大学一年级数学，您可能会记得学习过概率和组合。您还记得那些问题：“如果我有一个装有5个白色大理石，10个蓝色大理石和20个黑色大理石的袋子，那么选择3个大理石后，我会选择其中一个的概率是多少？”

Well, there are 35 * 34 * 33 total combinations, or, 39,270 total combinations. There are 5 * 10 * 20 combinations, or 1,000 combinations, that meet our criteria of selecting one of each color. Therefore, we have a probability of 1,000 / 39,270 or 2.546% of selecting the exact color combination.

好吧，总共有35 * 34 * 33个组合，或者说是39,270个组合。有5 * 10 * 20个组合(或1,000个组合)符合我们选择每种颜色之一的标准。因此，选择精确颜色组合的可能性为1,000 / 39,270或2.546％。

Total Combinations: 35 * 34 * 33 = 39,270

组合总数 ：35 * 34 * 33 = 39,270

Combinations Meeting Requirements: 5 * 10 * 20 = 1,000

组合满足要求 ：5 * 10 * 20 = 1,000

Probability of Selection Meeting Requirements: 1,000 / 39,270 = 2.546%

满足要求的Selection选概率 ：1,000 / 39,270 = 2.546％

This is the same principle we use for passwords. mydogzuma is 9 characters, there are 26 characters in the alphabet, and a minimum of 8 characters required. The hacker first tries all combinations of 8 lowercase characters:

这与我们用于密码的原理相同。 mydogzuma是9个字符，字母中有26个字符，至少需要8个字符。黑客首先尝试使用8个小写字符的所有组合：

Total Combinations: 26⁸ = 208,827,064,576

组合总数 ：26⁸= 208,827,064,576

But the closest they would get is mydogzum. They would then try all combinations of 9 lowercase letters:

但是他们得到的最接近的是mydogzum 。然后，他们将尝试9个小写字母的所有组合：

Total Combinations: 26⁹ = 5.4295037e+12

组合总数 ：26⁹= 5.4295037e + 12

You get the idea. These numbers are getting a bit hard to wrap our heads around, but the takeaway is that in the above equation applied to MyDogZuma1!, 26 becomes 72 (26 uppercase characters, 26 lowercase, 10 numeric digits, and depending on what is allowed, roughly 10 symbols).

你明白了。这些数字让我们难以理解，但要领结的是，上述方程式适用于MyDogZuma1！，则26变为72(26个大写字符，26个小写字符，10个数字，并取决于允许的大小，大约为10个符号)。

(26⁸ + 26⁹) vs. (72⁸ + 72⁹ + 72¹⁰ + 72¹¹)

(26⁸+26⁹)和(72⁸+72⁹+72⁰+72¹¹)

The first half of the above comparison is equal to 5.6383307e+12, and the second half is equal to 2.7335788e+20.

以上比较的上半部分等于5.6383307e + 12，下半部分等于2.7335788e + 20。

2.7335788e+20 / 5.6383307e+12 ≈ 48,482,058

2.7335788e + 20 / 5.6383307e + 12≈48,482,058

And there we have it. Given brute force techniques, which for those who are not familiar, just means that a hacker is trying passwords or using a software to try passwords at random until one is right, it would take (given worst case scenarios) 48,482,058 times as many tries to crack MyDogZuma1! than it would to crack mydogzuma.

我们终于得到它了。对于那些不熟悉的人而言，如果使用蛮力技术，就意味着黑客正在尝试使用密码或使用软件随机尝试使用密码，直到正确为止，(在最坏的情况下)将花费48,482,058倍的尝试次数。破解MyDogZuma1！而不是破解mydogzuma。

如果我的密码泄露了怎么办？ (What if My Password is Leaked, Though?)

As discussed, the above protects you from brute force attacks, however all of the precautions in choosing a password obviously won’t help in the event that your plain-text password is leaked. You’ve likely heard stories of data breaches and companies getting in trouble for storing passwords in plain-text. This is a massive no-no, as once your uppercase+lowercase+symbol+number password combination is handed off to be stored and referenced for login, it needs to be hashed prior to database persistence in order to be truly secure.

如前所述，以上内容可以保护您免受暴力攻击，但是，如果您的纯文本密码被泄漏，选择密码的所有预防措施显然将无济于事。您可能已经听说过有关数据泄露以及公司在以纯文本格式存储密码时遇到麻烦的故事。这是一个很大的禁忌，因为一旦将大写+小写+符号+数字密码组合传递并存储并供登录使用，则在对数据库进行持久化之前需要对其进行哈希处理才能真正安全。

什么是哈希？ (What is Hashing?)

In software engineering, something called hashing algorithms are used to further secure passwords. The term hashing comes from the cooking term, where hashing food means to slice it up and mix it around. Hashing algorithms act similarly to this, in that they take the actual password, slice it up and mix it around. The result is a user’s password returned as an incomprehensible string of hexidecimal values.

在软件工程中，使用一种称为哈希算法的算法来进一步保护密码。散列术语来自烹饪术语，其中将食物散列意味着将其切成薄片并混合在一起。散列算法的行为与此类似，因为它们采用实际的密码，将其切成薄片并混在一起使用。结果是作为不可理解的十六进制字符串返回的用户密码。

While the returned value appears random, it isn’t. Passing mydogzuma into the same hashing algorithm will always return the same hashed string. To avoid two users with the same password ending up with identical hashed passwords, salt is added to each password prior to hashing. Salt is a random string, unique to a user, that is added to differentiate it from a different user’s otherwise identical password. The resulting hashes will look nothing alike.

虽然返回的值看起来是随机的，但不是。将mydogzuma传递给相同的哈希算法将始终返回相同的哈希字符串。 为避免两个具有相同密码的用户最终使用相同的哈希密码，在哈希之前将salt添加到每个密码中。 Salt是用户唯一的随机字符串，添加该字符串是为了将其与其他用户原本相同的密码区分开。 产生的哈希看起来将完全不同。

When a user logs in, the record matching the username input is found, the unique salt is added to the password input, password+salt is passed through the same hashing algorithm, and the hashed password input+salt is compared to the hashed stored password+salt to check for authentication.

当用户登录时，找到与用户名输入匹配的记录，将唯一的盐添加到密码输入中，密码+盐通过相同的哈希算法传递，并将哈希的密码输入+盐与哈希的存储密码进行比较+盐检查身份验证。

A strong hashing algorithm is effectively impossible to reverse engineer at this time. This means that even if a hacker were to get his hands on an entire database of properly hashed passwords, it would be rather useless. Hashing algorithms have a cost, which is the amount of computer power needed to run it. This cost allows for scaling — as computers get faster, hashing can get slower. The higher the cost, the more expensive the password is for someone to hack.

目前，强大的哈希算法实际上无法进行反向工程。这意味着，即使黑客要掌握正确哈希密码的整个数据库，也将毫无用处。散列算法需要一定的成本，这是运行它所需的计算机能力。该成本允许扩展-随着计算机变得越来越快，哈希变得越来越慢。成本越高，则用于他人破解的密码就越昂贵。

泄漏的哈希密码有多安全？ (How Secure are Leaked Hashed Passwords?)

So if passwords are hashed anyway, and hashing cannot be reverse engineered, why does it matter what my password is? Well first of all, sadly, too many companies do not properly secure their data and passwords. But more importantly, a type of brute force hacking can be used on a leaked list of hashed passwords. A list of the most common passwords can be passed through the hashing algorithm, and then the hashed values can be compared to the stored passwords. If unique salt was added to each password then this effort will still be futile. If it was not, a few random capitalizations or symbols added into your password can prove a strong line of defense.

因此，如果仍然对密码进行哈希处理，并且哈希不能进行反向工程，那么我的密码为何重要呢？首先，令人遗憾的是，太多公司没有适当保护其数据和密码。但更重要的是，可以在泄漏的散列密码列表上使用一种暴力破解。可以通过哈希算法传递最常用密码的列表，然后可以将哈希值与存储的密码进行比较。如果将唯一的盐添加到每个密码，则此工作仍然是徒劳的。如果不是这样，则在密码中添加一些随机的大写字母或符号可以证明是强有力的防线。

关于哈希与加密的快速说明 (A Quick Note on Hashing vs. Encryption)

I just want to take a second to clarify that encryption and hashing are not the same thing. Encryption is a form of data security that translates data into something unrecognizable unless you have the secret key. The key has to be stored somewhere for future use. If encryption was used for password security, all keys would have to be stored on a server, and if anyone gained access to the keys, the entire password database would be threatened.

我只想花一点时间澄清一下加密和散列不是同一回事 。加密是数据安全性的一种形式，它将数据转换为无法识别的内容，除非您拥有密钥。密钥必须存储在某个地方以备将来使用。如果将加密用于密码安全，则所有密钥都必须存储在服务器上，并且如果任何人都可以访问密钥，则整个密码数据库将受到威胁。