Foreword
Good habits in life is to produce compounded powerful assistant.
2020 Part VIII articles, continuing this year's flag: article updated at least weekly.
Today's question comes from the inside of one share, store the password issue.
In the Internet age, app and website contact every day too much, most of the scenes registered account password is required.
Password generation and storage became common in daily life things.
Faced with this situation a lot of friends, some friends and memory options are set up to less than three passwords, I can not really remember too much. Sometimes also set very weak passwords, such as common weak passwords 123456,123123 and so on. Another part of the friends, will put each site or app passwords are stored locally respectively, or synced to the cloud (network disk or file), use the time to search and copy.
This password generation and storage, security and ease of use from the point of view there are some problems.
A. Password generator and storage security
1. The multi-application similar / identical password
Password system itself for safety and health requirements, but because of password generation and storage of trouble, in order to save the user to use the same set of passwords, poses a risk of such a "hit library." A variety of data and cases have also proved that the "hit Library" day and night attacks had accompanied on our side, it has great size and specialization.
"Hit the library," according to Chinese literally interpreted, is the "collision database" means "database" to store a large number of often sensitive data, such as we log on a web site requires a user name, password, such as phone number, ID number and other private information. The main library is to hit the scene through the existing list of account passwords, by logging normal application form, trying to get the correct username / password combination, big vernacular is "hacking." It is noteworthy that the sole purpose of hacking attacks not hit the library, verify that a registered account there is a common purpose in a hit library site.
Libraries hit it away from us? The actual situation? Facts have proved that such examples are not uncommon.
- Ctrip due to the emergence of technical flaws, leading to personal information, bank card security code and other information leakage cw
- Millet leaked user data burst, involving eight million registered users of information millet Forum
- A number of courier companies have been hacked vulnerabilities exist explosion site, there are 14 million personal information is leaked
- Zhaopin 860,000 users resume leak
- Eastern Airlines large number of customer orders Leak
- 12306 train booking site was hit library
With the explosive growth in recent years things device, led to widespread visibility to the lack of data traffic, thereby greatly increasing the overall threat to surface and the company's vulnerability. Data breaches continue to increase, leading to attacks hit the library in recent years become a popular way to intrusion.
2. Password Storage
How passwords are stored in the foreword of explanation, there will be friends to each site or app passwords are stored locally respectively, or synced to the cloud (network disk or file), use the time to search and copy, this is also problematic.
-
When local storage, no way to multi-platform synchronization, both at home or place of work with a password when it will be very troublesome, ease of use is poor.
-
Cloud synchronization, such as many network disk and online documentation tools can be used to store the password, you can also synchronize multiple platforms, but no matter which vendor can not guarantee your data is never compromised, and each time you use a password, you need to open password storage application search to find the feeling of a lot of trouble.
Two user-side solutions
Thinking
Address security issues generated password, mainly to prevent collision library, the best way is of course different sites with different passwords and website password strength to be very high, such as password must have numbers and uppercase and lowercase letters .
Of course, how so many passwords in mind? This problem involves storing passwords, my personal advice is not to store , automatically generated each time, so do not remember your password, do not worry leaked. Reference https://github.com/ls0f/pwm open source project, to provide some ideas:
Users only need to remember a salt, which is generated password in the "salt" strategy, passwords for different websites in accordance with (salt + domain + account) splicing generates sha1, where domain is the domain name, account name for the account, and then take the sha1 front 15 to generate a password, and then fixed rule conversion and digital case, strong password meet the requirements of the site.
In this way, as long as your salt safe your password is safe.
show code
Below we provide Python and js implementation, we can deploy the page to your VPS or github Page in, so that you can generate a random password.
Python:
def gen_passwd( raw):
if sys.version_info > (3, 0):
h = hmac.new(self.key.encode(), raw.encode(), sha1)
base64 = b64encode(h.digest()).decode()
else:
h = hmac.new(self.key, raw, sha1)
base64 = h.digest().encode("base64")
_passwd = base64[0: self.passwd_length]
return _format_passwd(_passwd)
def _format_passwd(passwd):
# 格式化密码,必须包含大小写和数字
self.num_str = "0123456789"
self.low_letters = "abcdefghijklmnopqrstuvwxyz"
self.upper_letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
passwd = passwd.replace("+", '0')
passwd = passwd.replace("/", '1')
list_passwd = list(passwd)
if re.search(r"[0-9]", passwd) is None:
list_passwd[-3] = self.num_str[ord(passwd[-3]) % len(self.num_str)]
if re.search(r"[a-z]", passwd) is None:
list_passwd[-2] = self.low_letters[ord(passwd[-2]) % len(
self.low_letters)]
if re.search(r"[A-Z]", passwd) is None:
list_passwd[-1] = self.upper_letters[ord(passwd[-1]) % len(
self.upper_letters)]
return ''.join(list_passwd)
gen_passwd("salt+domain+account")
javascript:
function gen_passwd(key, raw){
var shaObj = new jsSHA("SHA-1", "TEXT");
shaObj.setHMACKey(key, "TEXT");
shaObj.update(raw);
var hmac = shaObj.getHMAC("B64");
console.log(hmac);
var passwd = hmac.substring(0, 15);
console.log(passwd);
passwd = passwd.replace("+", '0');
passwd = passwd.replace("/", '1');
console.log(passwd);
passwd="abcdefg123789123";
var list_passwd = passwd.split('');
if (!RegExp("[0-9]").test(passwd)){
console.log("[0-9]",passwd[13]);
list_passwd[13] = "0123456789"[passwd[13].charCodeAt(0) % 10]
console.log("[0-9]",list_passwd[13]);
};
if (!RegExp("[a-z]").test(passwd)){
console.log("[a-z]",passwd[14]);
list_passwd[14] = "abcdefghijklmnopqrstuvwxyz"[passwd[14].charCodeAt(0) % 26]
console.log("[a-z]",list_passwd[14]);
};
if (!RegExp("[A-Z]").test(passwd)){
console.log("[A-Z]",passwd[15]);
list_passwd[15] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"[passwd[15].charCodeAt(0) % 26]
console.log("[A-Z]",list_passwd[15]);
};
// charCodeAt
var final_passwd = list_passwd.join('');
console.log(final_passwd);
return final_passwd;
}
Test deployment on the page a bit, no longer have to remember every search password.
III. Vendor side solution
In short, without the traditional account password system, mobile landing, landing two-dimensional code are very good.
At last
No public attention: seven nights Security blog
Reply [1]: to get Python data analysis tutorial spree
replies [2]: to get Python Flask full set of tutorials
reply [3]: to get a college machine learning tutorial
Reply [4]: receive reptile tutorial
reply [5]: receive compiler theory tutorial
reply [6]: penetration testing course receive
replies [7]: receive artificial intelligence mathematical foundation course
This article belongs to original works, welcome to reprint to share, modify the contents of the article is prohibited. Respect for the original, reproduced please specify from: seven-night story http://www.cnblogs.com/qiyeboy/