密码模式验证器是安全漏洞吗?
Is a password pattern validator a security vulnerability?
密码模式验证器是安全漏洞吗?
示例:您的密码必须至少包含一个小写字符和一个大写字符、一个特殊字符、一个数字和一个介于 10 到 50 个字符之间的序列。
请查看此处提供的 OWASP 应用程序安全验证标准:https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf
您会发现要求如下:
2.1.9: Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.
OWASP 标准反映了我们在应用程序安全方面的最佳实践。您可以看到现代系统中不应该有密码验证器。这不是漏洞,只是过时了。
但标准还说:
2.1.8: Verify that a password strength meter is provided to help users set a stronger password.
2.1.7: Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password.
所以现代系统应该提供其他东西。
密码模式验证器是安全漏洞吗?
示例:您的密码必须至少包含一个小写字符和一个大写字符、一个特殊字符、一个数字和一个介于 10 到 50 个字符之间的序列。
请查看此处提供的 OWASP 应用程序安全验证标准:https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf
您会发现要求如下:
2.1.9: Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.
OWASP 标准反映了我们在应用程序安全方面的最佳实践。您可以看到现代系统中不应该有密码验证器。这不是漏洞,只是过时了。
但标准还说:
2.1.8: Verify that a password strength meter is provided to help users set a stronger password.
2.1.7: Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password.
所以现代系统应该提供其他东西。