密碼模式驗證器是安全漏洞嗎?
[英]Is a password pattern validator a security vulnerability?
問題描述
密碼模式驗證器是安全漏洞嗎?
示例:您的密碼必須包含至少小寫字符和大寫字符、特殊字符、數字和 10 到 50 個字符之間的序列。
1 個解決方案
解決方案1
0 已采納 2022-05-25 06:51:53
請查看此處提供的 OWASP 應用程序安全驗證標准: https ://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf
您會發現有以下要求:
2.1.9: Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.
OWASP 標准反映了我們在應用程序安全方面的最佳實踐。 您可以看到現代系統中不應該有密碼驗證器。 這不是一個漏洞,它只是老式的。
但標准還說:
2.1.8: Verify that a password strength meter is provided to help users set a stronger password.
2.1.7: Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password.
所以現代系統應該提供別的東西。
安全漏洞與否?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.