Http://shell909090.com/blog/2011/09/%E5%AF%86%E7%A0%81%E7% AE %A1%E7%90%86%E8%A7%84%E8%8C%83/
The following is the password management specification summarized by shell. You can refer to it.
- Network password and Local Password. The network password is usually difficult to launch brute-force attacks. The speed of attempts is limited by the network, and may be detected by administrators after a certain number of attempts. The Local Password is relatively easy to attack. I assume that the local password attack can reach 2 ^ 30 passwords per second.
- The following formula is used to calculate the password length. Multiply the number of years used by the attack frequency to obtain the maximum number of attempts allowed by attackers during key usage. For the sake of security, the trial scope should not exceed a certain proportion of the total password space. In this way, the size of the password space is calculated, the number of information digits are calculated, and then restored to the number of passwords.
- Password: combination of letters, numbers, and letters. The Information volume of the digital password is 3.3bit, the letter is 4.7bit/bit, the mix is 5.17bit/bit, and the full mix is 5.96bit/bit.
- One password at a time. Except for the Zero-level password, do not set the same password for multiple systems. Some systems are not as secure as we think. Once the system goes wrong, the original password will be restored and it will be associated with other systems.
- Regular replacement. No password can be used for a lifetime.
- Write it down. One password at a time, so we will have a lot of broken passwords. If you do not write it down, it is not safe. Compromise, write it down, save it. We recommend that you use advanced passwords to encrypt low-level passwords, such as keepass.
- Generate a password. Use a specific string + website name for SHA-1 and then take the last 8 digits. This Password meets the requirements of one password at a time. It is not easy to crack and does not need to be written down. The only problem is that you need to calculate the password...
- The zero-level password is not required when you do not need to protect it. In this case, you can only set a password that is not a password. For example, the user password of a common machine. These passwords can be easily modified through livecd/liveusb, so there is no private value.
- Zero-level passwords do not require security and confidentiality, so remember. For example, 111,222, select a commonly used one, and how long it will take to use love.
- Low-level passwords are used to protect content that you do not want others to see, but they do not directly lose. For example, the performance data of the home machine and the access password of the ordinary album. If such content is visible to others, it will not cause any harm. However, if you release it at no cost, there is a potential risk, or you wish to protect it as you wish, and the content security requirements are not very high.
I assume that the low-level password will be attacked for 100 times/year on the network, and the local password will be attacked for 1 hour/year. It can be used for five years, the brute-force password space cannot exceed 1/1000 of the total password space.
- The attack information volume of the network password is log2 (100*5*1000) = 18.93bit. The password should contain more than 6 digits, letters, mix, and full mix should contain more than 4 digits.
- The attack information volume of the Local Password is log2 (2 ^ 30*3600*5*1000) = 54.10bit. The password must be 17 or more digits, 12 or more letters, 11 or more digits, and 9 or more digits.
- Conclusion: Low-level passwords are small in length, and it is not difficult to remember using numbers. We recommend that you use more than four letters (the length of the combination is not decreased). Do not use common combinations or words. We recommend that you use your favorite initials in the reverse order. For example, I will be back, corresponding to the password bbwi.
- The intermediate password is used to protect content that you do not want others to see and that others will lose you. For example, your account book and diary. When using an intermediate password, the main risk does not come from the password itself, but from the password environment. Including whether the computer is secure, whether the network is secure in the middle, and whether the people next to the attack are Snoop attacks.
- I assume that the intermediate password may be attacked for 10000 times/year on the network, and the local password will be attacked for 100 hours/year. It can be used for one year, the brute-force password space cannot exceed 1/100000 Of the total password space.
- The attack information volume of the network password is log2 (10000*1*100000) = 29.90bit. The password must contain more than 9 digits, 7 letters, 6 or more digits, and 4 or more digits.
- The attack information volume of the Local Password is log2 (2 ^ 30*3600*100*1*100000) = 65.07. The password must be 20 or more digits, 14 or more letters, 13 or more digits, and 11 or more digits.
- Conclusion: at the beginning of the intermediate password, the number of digits is too long, and human memory is hard to remember. We recommend that you use a password of more than 8 characters, which is generated in the same way as above.
- Advanced passwords are used to protect valuable content, such as corporate bids and bank accounts. Pay attention to the replacement of the advanced password, which should not exceed half a year.
- I assume that the intermediate password may be attacked for 1000000 times/year on the network, and the local password will be attacked for 8700 hours/year. The available time is 0.5 years, the brute-force password space cannot exceed 1/10000000 Of the total password space.
- The attack information volume of the network password is log2 (1000000*0.5*10000000) = 42.19bit. The password should contain more than 12 digits, the letters and mix should be more than 9 digits, and the full mix should be more than 8 digits.
- The attack information volume of the Local Password is log2 (2 ^ 30*3600*8700*0.5*10000000) = 77.15. The password must contain 24 or more digits, 17 or more letters, 15 or more digits, and 13 or more digits.
- Conclusion: The use of advanced passwords is hard to remember, but only to write them down. Keep your password safe. Once lost or leaked, it is definitely not a joke. If you are familiar with computers, you can use keepass with version manager to support Linux, windows, and Android. Especially for Android, it is not easy to modify, but it is easy to use and very easy to use.
- A special password is a bank account. This type of password should belong to the advanced password. However, we can see that the length of the advanced password should be more than 12 characters, and the maximum length of the bank card password is only 6 characters. This is mainly because the Bank has made a special design for security. If the password is incorrect for five times, it will be warned or locked. The cracking difficulty is much higher than the network password. If your bank password is random, you can use it with confidence, but you are advised to change it once a year. If your bank does not receive five wrong guesses and the card lock function, change the bank now!
- However, the biggest risk of a bank password is that many people use their own or friends for their birthdays to make it easier to remember. According to statistics, the maximum number of birthdays is used in the bank password, followed by the phone number, license plate number, and house number. However, limited by the number of labs, most of them are lab birthdays.
- For such passwords, we recommend that you generate numbers that are easy to remember and strong enough. Use the birthday order of friends and friends in reverse order. Do not describe or imply which friend or friend is or disclose the reverse method. The range of the results is usually between and. It's hard to guess the password even if your acquaintance is pregnant. Even if he is using his own birthday, he may not have guessed it. If the order of their phone numbers is reversed, the effect is better.
In fact, the above regulations may not be followed by all the shells themselves. For example, some accounts have the same password for one password at a time. However, after my own assessment, this risk is relatively low and acceptable. As for the length of my master password-this can be disclosed. It is a 14-digit password with a mix of upper and lower case characters and 82 characters of valid information. Some of them also contain special characters with 91 characters in information. Even based on the strictest standards, it will be five years after the decryption is enough.