作者y995526 (kn)
看板CSSE
标题[问题]很基本的资安问题
时间Wed Nov 21 21:16:54 2018
各位大大安安,今天写到一题关於登入介面如何设计比较安全的题目:
The following are three possible logon scenarios. Explain why option (c)
below is preferable in term of system security.
a.
Welcome to XYZ computing
Enter username: jones
Invalid username
Enter username:
b.
Welcome to XYZ computing
Enter username: smith
Enter password: password
Invalid access
Enter username:
c.
Enter username: smith
Enter password: password
Invalid access
Enter username: smith
Enter password: FpQr56
Welcome to XYZ computing
a的问题比较明显,我已经知道了。
我不太懂的是b和c的差别,
那句"Welcome to XYZ computing"的出现时机会对安全有什麽影响呢?
感谢各位大大!
--
※ 发信站: 批踢踢实业坊(ptt.cc), 来自: 140.114.222.71
※ 文章网址: https://webptt.com/cn.aspx?n=bbs/CSSE/M.1542806216.A.916.html
1F:→ CindyLinz: 让还无法登入的人得知越少主机的资讯越好.. 11/23 02:53
2F:推 wang19980531: a. 不该给予单项错误讯息,帐密paired更难攻破 b. 02/28 13:24
3F:→ wang19980531: 攻击者可能真的已知的主机目标资料库进行攻击 02/28 13:24
4F:推 whisper4628: 有些公司会把XYZ替换成IP或主机名称,还没登入就先得 11/19 17:33
5F:→ whisper4628: 知这些讯息,会造成资安疑虑 11/19 17:33