:加强密码策略和密码管理
随着互联网普及,各种信息安全问题不断涌现。密码泄露事件频频发生,密码复杂度成为阻挡黑客攻击的首要屏障。但是,即便面对短而复杂的密码,黑客仍可以使用强大的密码破解工具进行字典攻击,从而抵消了复杂度的优势。?本文将提供密码策略和密码管理这两个角度的解决办法,帮助你更好地保护你的Linux系统。
1.加强密码策略:延长密码周期、加强密码规则、引入密码历史
一个建议密码周期为90天的Linux系统,每隔90天强制用户更改密码。这样可以防止黑客在长期内使用旧密码进入系统。但是,如果密码太短且缺乏复杂性,密码更改频率将不会起到保护安全的效果。因此,一种合适的密码长度和复杂度应该作为基本条件。如果你的Linux系统要求用户输入6位数字密码,那么大约有100万种可能性,但是,对于高速运行的密码破解程序而言,这样的数字密码几乎要被瞬间破解。因此,建议密码长度不少于10位,并且必须包含大写字母、小写字母、数字和特殊字符。这样的密码具有一定的熵值,黑客就难以通过暴力方法破解密码。
为了有效防止用户密码过于“朴素”,我们再加强特殊规则,比如:必须至少使用8个以上字符,至少1个大写字母、1个小写字母、1个数字、1个特殊字符。此外,还可以规定密码不能与用户的其他信息,如姓名、账号等相同。
引入密码历史是指不能重复使用密码。在Linux系统中,可以设置密码历史次数,即上一次密码更换后,多久之内用户不能使用上一次密码来登录。这是为了避免用户过于“懒散”而不更换密码的情况。为了让程序更加友好,程序可以设置“对特定用户例外”,以便于与管理员、系统管理员等特殊角色的用户使用而不会受到不必要的限制。
2.加强密码管理:使用密码管理工具和安全框架
巩固密码策略的同时,加强密码管理也是必不可少的。密码管理工具可以在保证密码安全性的同时,提高用户的使用效率。可以考虑选择一些密码管理工具或者使用集成环境(IDE),例如:LastPass、1Password、KeePassXC等。密码管理工具可以生成随机密码,可以帮助用户存储密码、保护密码。如果遇到密码遗失的情况,可以使用这些工具中的“找回密码”功能,大致了解不能登录的密码。同时,密码管理工具也可以对用户密码进行强度的评估,帮助用户了解是否符合管理规则。
与此同时,也可以使用安全框架来增强密码安全性。例如使用多因素认证(MFA)来加强登录安全性。MFA需要用户输入密码和其他识别因素(例如,安全令牌码、指纹、面部识别等)来通过认证。由于识别因素存在组合和随机性,因此MFA可以在一定程度上防止黑客利用假密码登录系统。还可以使用单点登录(SSO)来降低密码管理压力。在SSO上,用户只需要一次登录,就可以访问多个应用程序。这种方法可以降低管理成本并提高安全性。
结论
为了防止黑客攻击,我们需要建立合理的密码策略和密码管理机制。密码策略的优化主要集中在密码长度、复杂度、密码周期、密码规则等方面。密码管理建议使用密码管理工具,加强MFA,使用SSO机制等。
应该注意,上述建议应根据不同Linux系统的具体情况进行调整,以保证密码安全策略的可行性。只有建立完整的密码安全体系,在互联网安全日渐严格的情况下,才能保证服务器的安全和敏感数据的安全。
相关问题拓展阅读:
密码复杂度在
# vim /etc/pam.d/system-auth里
找到password requisite pam_cracklib.so在后面可以加 difok=x(要x个不同字符) minlen=x(最小密码长度) ucredit=-x(最少x个大写字母) lcredit=-x(最少x个小写字母) dcredit=-x (最少x个数字)dictpath=/usr/share/cracklib/pw_dict
时间在
# vim /etc/login.defs
PASS_MAX_DAYS(更大什么时候过期)
PASS_MIN_DAYS (最小什么事后过期)
PASS_MIN_LEN (密码最小长度)
PASS_WARN_AGE (警告天数)
我们在使用linux系统设置密码的时候,经常遇到这样的问题,系统提示:您的密码太简单,或者您的密码是字典的一部分。那么系统是如何实现对用户的密码的复杂度的检查的呢?
系统对密码的控制是有两部分(我知道的)组成:
1 cracklib
2 login.defs
声明:login.defs主要是控制密码的有效期。对密码进行时间管理。此处不细谈
login.defs –shadow password suite configuration
pam_cracklib.so 才是控制密码复杂度的关键文件
redhat公司专门开发了cracklib这个安装包来判断密码的复杂度
可以rpm -ql cracklib查看
密码的复杂度的判断是通过pam模块控制来实现的,具体的模块是pam_cracklibpam_cracklib 的参数介绍:
debug
This option makes the module write information to syslog(3) indicating the behavior of the module (this option does not write password information to the log file).
type=XXX
The default action is for the module to use the following prompts when requesting passwords: “New UNIX password: ” and “Retype UNIX password: “. The default word UNIX can be replaced with this option.
retry=N
Prompt user at most N times before returning with error. The default is 1
difok=N
This argument will change the default of 5 for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway.
difignore=N
How many characters should the password have before difok will be ignored. The default is 23.
minlen=N
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a “way too short” limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10.
(N = 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10.
(N > 0) This is the minimum number of upper case letters that must be met for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.
(N = 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.
(N
use_authtok
This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.
dictpath=/path/to/dict
Path to the cracklib dictionaries.
dictpath=/path/to/dict //注:密码字典,这个是验证用户的密码是否是字典一部分的关键。
Path to the cracklib dictionaries.
cracklib密码强度检测过程
首先检查密码是否是字典的一部分,如果不是,则进行下面的检查
密码强度检测过程
These checks are:
Palindrome
Is the new password a palindrome of the old one?
新密码是否旧密码的回文
Case Change Only
Is the new password the the old one with only a change of case?
新密码是否只是就密码改变了大小写
Similar
Is the new password too much like the old one?
新密码是否和旧密码很相似
This is primarily controlled by one argument, difok which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is aller.
To avoid the lockup associated with trying to change a long and complicated password, difignore is available. This argument can be used to specify the minimum length a new password needs to be before the difok value is ignored. The default value for difignore is 23.
Simple
Is the new password too all?
新密码是否太短
This is controlled by 5 arguments minlen, dcredit, ucredit, lcredit, and ocredit. See the section on the arguments for the details of how these work and there defaults.
Rotated
Is the new password a rotated version of the old password?
新密码的字符是否是旧密码字符的一个循环
例如旧密码:123
新密码:231
Already used
Was the password used in the past?
这个密码以前是否使用过
Previously used passwords are to be found in /etc/security/opasswd.
那么系统是如何实现这个控制的呢?
在系统的配置文件/etc/pam.d/system-auth 中有这样一行
password requisite pam_cracklib.so try_first_pass retry=3
我们可以根据pam_cracklib的参数这样配置这个pam模块来达到我们想要的目的
关于linux密码满足复杂性要求的介绍到此就结束了,不知道你从中找到你需要的信息了吗 ?如果你还想了解更多这方面的信息,记得收藏关注本站。
创新互联服务器托管拥有成都T3+级标准机房资源,具备完善的安防设施、三线及BGP网络接入带宽达10T,机柜接入千兆交换机,能够有效保证服务器托管业务安全、可靠、稳定、高效运行;创新互联专注于成都服务器托管租用十余年,得到成都等地区行业客户的一致认可。