What is the ultimate purpose of setting complex passwords, managing and using them securely?

Set complex passwords, and securely manage and use passwords. The ultimate goal is to prevent attackers from illegally obtaining access and operation permissions.

Dynamic Password is an unpredictable random number combination generated based on a specialized algorithm. Each password can only be used once.

Password classification (Recommended learning: web front-end video tutorial)

In order to solve the problem of static password security, in the 1990s Dynamic password technology has emerged. So far, the application results and general situation are as follows:

Dynamic password technology is mainly divided into two types: synchronous password technology and asynchronous password technology (challenge-response method)

The synchronization password technology is divided into: time synchronization password and event synchronization password. The main technical comparisons are as follows:

Time synchronization

Based on token and server time Synchronization uses calculations to generate consistent dynamic passwords. For tokens based on time synchronization, the general update rate is 60 seconds, and a new password is generated every 60 seconds. However, since its synchronization is based on international standard time, its server is required to be very capable. It accurately maintains the correct clock and has strict requirements on the crystal oscillator frequency of its token, thereby reducing the chance of the system losing synchronization.

On the other hand, every time a token based on time synchronization is authenticated, the server will detect the clock offset of the token and continuously fine-tune its time record accordingly, thus ensuring that the token is authenticated. The synchronization of the token and the server ensures daily use. However, due to the different working environments of the token, uncertain deviation and damage of the clock pulse may easily occur under conditions such as magnetic field, high temperature, high pressure, shock, water immersion, etc.

Therefore, it is very necessary to better protect time synchronized devices. For tokens that lose time synchronization, remote synchronization can currently be performed by increasing the offset (10 minutes before and after). Ensure that it can continue to be used and reduce the impact on the application. However, time synchronization tokens that exceed the default (20 minutes in total) will not be able to continue to be used or remotely synchronized and must be sent back to the server for separate processing. Similarly, for servers based on time synchronization, the system clock should be well protected and should not be changed at will to avoid synchronization problems, which will affect all tokens authenticated based on this server.

Event synchronization

Token based on event synchronization, the principle is to use a specific event sequence and the same seed value as input, and calculate it in the algorithm A consistent password, its operation mechanism determines that its entire workflow is independent of the clock and is not affected by the clock. There is no time pulse crystal oscillator in the token, but due to the consistency of its algorithm, its password is known in advance. Through the token , you can know multiple passwords in the future in advance, so when the token is lost and the PIN code is not used to protect the token, there is a risk of illegal login. Therefore, it is very necessary to protect the PIN code when using event synchronized tokens. of.

Similarly, tokens based on event synchronization also have the risk of losing synchronization, such as users generating passwords for no purpose multiple times. For tokens to lose synchronization, the event synchronization server uses an increased offset. method to resynchronize, the server will automatically calculate backwards a certain number of passwords to synchronize the token and the server. When the out-of-synchronization situation is very serious and the range exceeds the normal range, the server will calculate the password by entering the token twice consecutively. Password, the server will perform token synchronization on a larger scale.

Under normal circumstances, the number of times required for token synchronization will not exceed 3 times. However, in extreme cases, the possibility of losing synchronization cannot be ruled out, such as power outage, operating errors when replacing the battery, etc. At this point, the token can still be synchronized remotely by manually entering a set of sequence values ​​generated by the administrator without having to go back to the server for resynchronization.

The above is the detailed content of What is the ultimate purpose of setting complex passwords, managing and using them securely?. For more information, please follow other related articles on the PHP Chinese website!