Dnešná relácia otázok a odpovedí sa k nám pridelí zdvorilosťou SuperUser - podskupiny Stack Exchange, zoskupenia webových stránok Otázky a odpovede.
Otázka
Čítač SuperUser Michael McGowan je zvedavý, ako ďaleko dosahuje dopad jedného porušenia hesla; on píše:
Suppose a user uses a secure password at site A and a different but similar secure password at site B. Maybe something like
mySecure12#PasswordA
na mieste A a
mySecure12#PasswordB
na mieste B (ak máte zmysel, použite inú definíciu "podobnosti").
Predpokladajme teda, že heslo pre lokalitu A je nejako ohrozené … možno zlomyseľným zamestnancom stránky A alebo bezpečnostnou netesnosťou. Znamená to, že heslo stránky B bolo tiež účinne ohrozené, alebo v tomto kontexte neexistuje žiadna podobnosť ako "heslo podobnosť"? Má nejaký rozdiel, či bol kompromis na webe A prostý text únik alebo hash verziu?
Mal by sa Michael obávať, či sa jeho hypotetická situácia stane?
Odpoveď
Používatelia služby SuperUser pomohli objasniť problém pre Michaela. Superuser prispievateľ Queso píše:
To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
Ďalší autor Superuser Michael Trausch vysvetľuje, ako vo väčšine situácií nie je hypotetická situácia dôvodom na znepokojenie:
To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
Ak máte obavy, že aktuálny zoznam hesiel nie je rôznorodý a dostatočne náhodný, dôrazne odporúčame skontrolovať našu komplexnú príručku zabezpečenia hesiel: Ako sa obnoviť po vašom e-mailovom hesle je kompromitované. Prepracovaním zoznamov hesiel, ako keby matka všetkých hesiel, váš e-mail heslo bolo ohrozené, je ľahké rýchlo priniesť svoje portfólio hesiel rýchlosťou.
Máte niečo doplniť vysvetlenie? Zvuk vypnúť v komentároch. Chcete si prečítať viac odpovedí od iných používateľov technológie Stack Exchange? Pozrite sa na celý diskusný príspevok tu.
