公钥密码比传统密码更安全

You know the drill: use a long and varied password, don’t use the same password twice, use a different password for every site. Is using a short password really that dangerous? Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

您知道该练习：使用长而多样的密码，不要两次使用相同的密码，对每个站点使用不同的密码。 使用短密码真的那么危险吗？ 今天的“问答”环节由SuperUser提供，它是Stack Exchange的一个分支，该社区是由社区驱动的Q＆A网站分组。

问题 (The Question)

SuperUser reader user31073 is curious whether he should really heed those short-password warnings:

超级用户阅读器user31073很好奇他是否应该认真听取那些短密码警告：

Using systems like TrueCrypt, when I have to define a new password I am often informed that using a short password is insecure and “very easy” to break by brute-force.

使用TrueCrypt之类的系统时，当我必须定义一个新密码时，经常会被告知使用短密码是不安全的，并且很容易被暴力破解。

I always use passwords of 8 characters in length, which are not based on dictionary words, which consists of characters from the set A-Z, a-z, 0-9

我总是使用长度为8个字符的密码，这些密码不是基于字典词的，而字典词由来自AZ，az，0-9集合的字符组成

I.e. I use password like sDvE98f1

即我使用像sDvE98f1这样的密码

How easy is it to crack such a password by brute-force? I.e. how fast.

通过暴力破解这样的密码有多容易？ 即有多快。

I know it heavily depends on the hardware but maybe someone could give me an estimate how long it would take to do this on a dual core with 2GHZ or whatever to have a frame of reference for the hardware.

我知道它在很大程度上取决于硬件，但是也许有人可以给我一个估计，在具有2GHZ的双核或具有硬件参考框架的任何东西上需要多长时间。

To brute-force attack such a password one needs not only to cycle through all combinations but also try to decrypt with each guessed password which also needs some time.

为了强行攻击这种密码，不仅需要循环浏览所有组合，还需要尝试使用每个猜测的密码进行解密，这也需要一些时间。

Also, is there some software to brute-force hack TrueCrypt because I want to try to brute-force crack my own password to see how long it takes if it is really that “very easy”.

另外，是否有一些软件可以对TrueCrypt进行暴力破解，因为我想尝试暴力破解自己的密码，以查看“真的很简单”需要多长时间。

Are short random-character passwords really at risk?

短随机字符密码真的有风险吗？

答案 (The Answer)

SuperUser contributor Josh K. highlights what the attacker would need:

超级用户贡献者Josh K.强调了攻击者的需求：

If the attacker can gain access to the password hash it is often very easy to brute force since it simply entails hashing passwords until the hashes match.

如果攻击者可以访问密码哈希，则暴力破解通常非常容易，因为它只需要哈希密码即可，直到哈希匹配为止。

The hash “strength” is dependent on how the password is stored. A MD5 hash might take less time to generate then a SHA-512 hash.

哈希“强度”取决于密码的存储方式。 与SHA-512散列相比，MD5散列可能花费更少的时间。

Windows used to (and may still, I don’t know) store passwords in a LM hash format, which uppercased the password and split it into two 7 character chunks which were then hashed. If you had a 15 character password it wouldn’t matter because it only stored the first 14 characters, and it was easy to brute force because you weren’t brute forcing a 14 character password, you were brute forcing two 7 character passwords.

Windows曾经(现在可能仍然不知道)以LM哈希格式存储密码，该密码将密码大写并将其分为两个7个字符的块，然后进行哈希处理。 如果您使用的是15个字符的密码，那就没关系了，因为它只存储了前14个字符，并且由于您不是强行强制使用14个字符的密码，因此很容易被暴力破解，而您强制使用了两个7个字符的密码。

If you feel the need, download a program such as John The Ripper or Cain & Abel (links withheld) and test it.

如果您有需要，请下载一个程序，例如John The Ripper或Cain＆Abel(保留链接)并进行测试。

I recall being able to generate 200,000 hashes a second for an LM hash. Depending on how Truecrypt stores the hash, and if it can be retrieved from a locked volume, it could take more or less time.

我记得能够为LM哈希每秒生成200,000个哈希。 根据Truecrypt存储散列的方式以及是否可以从锁定卷中检索散列，可能需要花费更多或更少的时间。

Brute force attacks are often used when the attacker has a large number of hashes to go through. After running through a common dictionary they will often start weeding passwords out with common brute force attacks. Numbered passwords up to ten, extended alpha and numeric, alphanumeric and common symbols, alphanumeric and extended symbols. Depending on the goal of the attack it can lead with varying success rates. Attempting to compromise the security of one account in particular is often not the goal.

当攻击者需要处理大量哈希值时，通常会使用蛮力攻击。 在浏览了通用词典之后，他们通常会开始使用常见的暴力破解来清除密码。 最多十个带编号的密码，扩展的字母和数字，字母数字和通用符号，字母数字和扩展符号。 根据攻击目标的不同，成功率可能会有所不同。 尤其不是试图破坏一个帐户的安全性的目标。

Another contributor, Phoshi expands on the idea:

另一个贡献者，Phoshi扩展了这个想法：

Brute-Force is not a viable attack, pretty much ever. If the attacker knows nothing about your password, he isn’t getting it through brute-force this side of 2020. This may change in the future, as hardware advances (For example, one could use all however-many-it-has-now cores on an i7, massively speeding up the process (Still talking years, though))

蛮力攻击几乎是不可能的。 如果攻击者对您的密码一无所知，那么他就不会在2020年这一刻通过蛮力获得密码。随着硬件的发展，这种情况将来可能会改变(例如，一个人可以使用所有但有很多的密码，现在以i7为核心，从而极大地加快了这一过程(不过，仍在讨论中)

If you want to be -super- secure, stick an extended-ascii symbol in there (Hold alt, use the numpad to type in a number larger than 255). Doing that pretty much assures that a plain brute-force is useless.

如果您想获得-super-secure，请在其中粘贴一个扩展的ascii符号(按住alt，使用数字键盘输入一个大于255的数字)。 这样做几乎可以确保简单的蛮力是没有用的。

You should be concerned about potential flaws in truecrypt’s encryption algorithm, which could make finding a password much easier, and of course, the most complex password in the world is useless if the machine you’re using it on is compromised.

您应该担心truecrypt加密算法的潜在缺陷，该缺陷可能使查找密码变得容易得多，当然，如果使用的计算机遭到破坏，世界上最复杂的密码将毫无用处。

We would annotate Phoshi’s answer to read “Brute-force is not a viable attack, when using sophisticated current generation encryption, pretty much ever”.

我们会在Phoshi的答案上加上注解：“当使用复杂的最新一代加密技术时，暴力攻击几乎是不可行的”。

As we highlighted in our recent article, , encryption schemes age and hardware power increase so it’s only a matter of time before what used to be a hard target (like Microsoft’s NTLM password encryption algorithm) is defeatable in a matter of hours.

正如我们在最近的文章《 所强调的那样，加密方案的使用时间和硬件功能都在增加，因此以前成为硬目标(如Microsoft的NTLM密码加密算法)只是时间问题在几个小时内就可以击败。

Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? .

有什么补充说明吗？ 在评论中听起来不对。 是否想从其他精通Stack Exchange的用户那里获得更多答案？ 。

翻译自:

公钥密码比传统密码更安全