>> A past IBM cybersecurity intelligence index report concluded that 95%of security breaches are caused by human error.
IBM过去的一份网络安全情报指数报告得出结论,95%的安全漏洞是人为错误造成的。
Human error definitely includes password choices by users.
人为错误肯定包括用户的密码选择。
It also includes password requirements and password storage by systems administrators.
它还包括系统管理员的密码要求和密码存储。
We can that without any hesitation passwords are a large part of network security.
我们可以毫不犹豫地说,密码是网络安全的重要组成部分。
Hackers can use a technique called "password guessing" in which they manually enter passwordsat a login prompt to gain access to an account when they have a valid user name.
黑客可以使用一种名为“密码猜测”的技术,即在登录提示时手动输入密码,以便在拥有有效用户名的情况下访问帐户。
In fact, this is exactly what happened in 2013when a St. Louis Cardinals executive guessed the password of a former co-worker who used to workfor the Cardinals but moved on to the Houston Astros.
事实上,这正是2013年发生的事情。当时,圣路易斯红衣主教队(St. Louis Cardinals)的一名高管猜出了一名前同事的密码。
This led to lots of confidential information about players, potential trades,and scouting reports getting into the hands of a rival executive.
这导致许多关于球员、潜在交易和球探报告的机密信息落入竞争对手的高管手中。
The information was publicly dumped and wound up embarrassing numerous players and teams.
这些信息被公开泄露,让许多球员和球队感到尴尬。
There are tools to automate this guessing process, known as an online attack,including Medusa, Ncrack, and Hydra.
包括Medusa、Ncrack和Hydra在内的一些工具可以自动完成这种被称为在线攻击的猜测过程。
These tools were built to help companies secure their networks,as security specialists can test hosts and networking devices for poor passwords.
由于安全专家可以测试主机和网络设备的糟糕密码,因此这些工具是用来帮助公司保护其网络安全的。
These tools are used to audit devices as well.
这些工具也用于审计设备。
Online attacks can also be used to check that your firewalls, IDSs,and IPSs detect when a server gets bombarded with unsuccessful login attemptsand that accounts lock in a short period when this happens.
在线攻击还可以用于检查您的防火墙、IDSs和IPSs在服务器受到不成功登录尝试的攻击时是否能够检测到,并且在发生这种情况时帐户会在短时间内锁定。
Password guessing through manual or automated means is obviously very noisy,so hackers need a better way to do it.
通过人工或自动的方式猜测密码显然是非常嘈杂的,所以黑客需要一种更好的方法来做到这一点。
Passwords should never be stored in plain text in databases.
Storing passwords in plain text allows them to be used immediately after they're stolen.
Passwords should be stored in a strong hashed format since hashing is a one-way function.
In many of the data breaches of recent years, stolen password databases contain passwordsthat were either stored in plain text or hashed with weak algorithms, like MD5 or SHA-1.
On Linux systems, password hashes are stored in the etc/shadow file.
Most Linux distros use SHA-512 with something called "salt" that we'll discuss later.
On Windows systems, password hashes are storedin the SAM file located at c:windowssystem32configsam.
Some Microsoft documentation expands SAMto Security Account Manager while other Microsoft documentation expands SAMto Security Accounts Manager.
On Windows domain controllers running Active Directory, password hashes are storedin the NTDS.dit file located at c:windowsntdsntds.dit.
The Windows NTLM, Lan Manager Protocol Suite,actually uses MD4 without salt for storing Windows hashes.
Websites that we log into store passwordsin a backend database likely using the MYSQL relational database morning system.
If a hacker enters the stolen hash into the password field,the hash itself would be hashed, so the attacker won't do that.
In this unit, we'll explore what happens when a database containing hashed passwords is stolen.
The hackers have three attack options after they steal the hashed password database.
The first is called a "brute force attack."
The second is a "dictionary attack."
The third is a "rainbow table attack."
Current hashing standards, SHA-2's SHA-256 and SHA-512and even SHA-3 variants are not appropriate for passwords because they're too quickfor hackers attempting brute force attacks with today's graphics processing units,application-specific integrated circuits, and field-programmable gate arrays.
PBKDF2, Bcrypt, and Scrypt which use SHA functions as part of their algorithms as wellas newcomer Argon2 should be the only functions used for hashing passwordsbecause these key stretching functions are significantly slower with tensor hundreds of thousands additional rounds.
The longer calculation time won't be noticeable by a user logging in but will be greatfor reducing the rate of brute force attacks.
转载于:https://www.cnblogs.com/sec875/articles/10015908.html
相关资源:JAVA上百实例源码以及开源项目