CN112613029A - Weak password detection method and device, computer storage medium and equipment - Google Patents
Weak password detection method and device, computer storage medium and equipment Download PDFInfo
- Publication number
- CN112613029A CN112613029A CN202110013122.4A CN202110013122A CN112613029A CN 112613029 A CN112613029 A CN 112613029A CN 202110013122 A CN202110013122 A CN 202110013122A CN 112613029 A CN112613029 A CN 112613029A
- Authority
- CN
- China
- Prior art keywords
- login
- information
- detection
- weak password
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Abstract
The embodiment of the application discloses a weak password detection method, a device, a computer storage medium and equipment, wherein the method comprises the following steps: receiving login request information; determining a login characteristic rule corresponding to the login request information; extracting login information from the login request information based on the login characteristic rule; and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information. In this way, by determining the login characteristic rule for the login request information, the login information can be accurately extracted from the login request information based on the login characteristic rule; and when the login is successful, the detection rate of the weak password can be improved by detecting the weak password of the login information, and the misjudgment rate of the weak password is reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a weak password detection method, apparatus, computer storage medium, and device.
Background
A weak password (week password) refers to a password that is easily guessed by a malicious user or broken by a hacking tool, such as a password containing only simple numbers and letters, e.g., "123", "abc", and the like. Statistically, about 30% of security problems are caused by weak passwords, and most enterprises have the requirement of password checking and supervision, so that weak password governance becomes a very important ring in enterprise security construction. However, in the related art, the conventional weak password detection method has insufficient ability to detect a weak password, and thus has problems of low detection rate of the weak password and high false judgment rate.
Disclosure of Invention
The application provides a weak password detection method, a weak password detection device, a computer storage medium and equipment, which can accurately identify weak passwords under various login components, so that the detection rate of the weak passwords is improved, and the misjudgment rate of the weak passwords is reduced.
The technical scheme of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a weak password detection method, where the method includes:
receiving login request information;
determining a login characteristic rule corresponding to the login request information;
extracting login information from the login request information based on the login characteristic rule;
and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information.
In a second aspect, an embodiment of the present application provides a weak password detection apparatus, including: the device comprises a receiving unit, a determining unit, an extracting unit and a detecting unit; wherein
The receiving unit is configured to receive login request information;
the determining unit is configured to determine a login feature rule corresponding to the login request information;
the extraction unit is configured to extract login information from the login request information based on the login feature rule;
the detection unit is configured to perform weak password detection on the login information to determine whether a weak password exists in the login information when the login state is detected to be successful login.
In a third aspect, an embodiment of the present application further provides a weak password detection apparatus, where the weak password detection apparatus includes: a memory and a processor; wherein the content of the first and second substances,
the memory for storing a computer program operable on the processor;
the processor is configured to execute the weak password detection method according to the first aspect when the computer program is executed.
In a fourth aspect, embodiments of the present application provide a computer storage medium storing a weak password detection program, which when executed by at least one processor implements the weak password detection method according to the first aspect.
In a fifth aspect, the present application provides a detection apparatus, which includes at least the weak password detection apparatus as described in the second aspect or the third aspect.
The weak password detection method, the weak password detection device, the computer storage medium and the equipment provided by the embodiment of the application receive login request information; determining a login characteristic rule corresponding to the login request information; extracting login information from the login request information based on the login characteristic rule; and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information. Therefore, after login request information is received, the login characteristic rules corresponding to the login request information are determined, so that the characteristic rules corresponding to different login components can be accurately identified, the login information to be detected can be accurately extracted, weak passwords under various login components can be accurately identified when weak password detection is carried out on the login information, the detection rate of the weak passwords is improved, and the misjudgment rate of the weak passwords is reduced.
Drawings
Fig. 1 is a schematic flowchart of a weak password detection method according to an embodiment of the present disclosure;
FIG. 2 is a flowchart illustrating another weak password detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a weak password detection system according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a weak password detection apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of another weak password detection apparatus provided in the embodiment of the present application;
fig. 6 is a schematic hardware structure diagram of a weak password detection apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a detecting apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
The weak password governance is an important part in enterprise security construction, however, no product capable of accurately identifying the weak passwords of various login components exists in the industry, and the problems of low weak password detection rate and high misjudgment rate exist at present. In the related technology, when a weak password is detected, an exhaustion method is usually adopted to perform multiple times of simulated login, which results in long detection time, low detection efficiency and high missed detection rate, and simultaneously results in higher pressure of a detected website, easy damage to the website and lower security.
It is understood that Snort is a powerful Network Intrusion Detection/Prevention System (NIDS) with features such as Multi-Platform (Multi-Platform), Real-Time (Real-Time) traffic analysis, Internet Protocol (IP) packet (packet) logging, etc. Most intrusion behaviors have certain characteristics, and Snort can detect various intrusion behaviors and detection activities by performing rule matching on data packets in a rule-based mode. The embodiment of the application provides that Snort rules are combined with login components, different login components can be identified through the Snort rules, and login information is accurately extracted according to the characteristic rules of different login components, so that the weak password of different login components can be accurately detected.
Based on this, the embodiment of the present application provides a weak password detection method, and the basic idea of the method is: by receiving login request information; determining a login characteristic rule corresponding to the login request information; extracting login information from the login request information based on the login characteristic rule; and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information. Therefore, after login request information is received, the login characteristic rules corresponding to the login request information are determined, so that the characteristic rules corresponding to different login components can be accurately identified, the login information to be detected can be accurately extracted, and therefore when weak password detection is carried out on the login information, weak passwords under various login components can be accurately identified, the detection rate of the weak passwords is improved, and meanwhile the misjudgment rate of the weak passwords is reduced.
In an embodiment of the present application, referring to fig. 1, a flowchart of a weak password detection method provided in an embodiment of the present application is shown. As shown in fig. 1, the method may include:
s101: and receiving login request information.
It should be noted that the weak password detection method provided by the embodiment of the present application may be applied to a weak password detection apparatus or a detection device integrated with the apparatus. Here, the detection device may be, for example, a smart phone, a tablet computer, a notebook computer, a palm computer, a Personal Digital Assistant (PDA), a navigation device, a server, and the like, which are not particularly limited in the embodiments of the present application.
It should be further noted that the weak password detection method provided by the embodiment of the present application may be applied to a World Wide Web (Web) system. For example, when a user performs a login operation through a browser, a client, or the like, the browser or the client first receives login request information. Here, only examples of the login by the user in the browser, the client, and the like are given, and actually, there are various login methods, and this embodiment of the present application is not particularly limited to this.
S102: and determining a login characteristic rule corresponding to the login request information.
It should be noted that, in the embodiment of the present application, after the login request information is received, the corresponding login feature rule may be determined based on the received login request information. The method specifically comprises the following steps: and extracting the characteristics of the login request information, matching the login request information with a preset characteristic rule base, and if the login request information is successfully matched with a certain login characteristic rule, determining that the login characteristic rule corresponding to the login request information is the successfully matched login characteristic rule.
S103: and extracting login information from the login request information based on the login characteristic rule.
It should be noted that, in the embodiment of the present application, after the login feature rule is determined, the login information may be extracted from the login request information based on the determined login feature rule. Since the login feature rule is determined from the login request information in step S102, the login information can be accurately extracted from the login request information based on the login feature rule. Here, the login information may include at least a user name and a password.
S104: and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information.
In the embodiment of the present application, after the login information is extracted from the login request information based on the determined login characteristic rule, login may be performed based on the extracted login information, for example, login may be performed based on the extracted user name and password, and at this time, the login status needs to be detected. If the detection result shows that the login state is successful login, the password in the login information is correct, and weak password detection needs to be carried out on the login information at this time so as to determine whether the weak password exists in the login information. It will be appreciated that if the login status is a failure, it indicates that the user name or password is incorrect, and in this case, weak password detection of the login information is not required.
That is to say, the embodiment of the application only performs weak password detection on login information which is successfully logged in, so that the pressure of the tested network station is reduced, and the efficiency of weak password detection is improved.
The embodiment of the application provides a weak password detection method, which comprises the steps of receiving login request information; determining a login characteristic rule corresponding to the login request information; extracting login information from the login request information based on the login characteristic rule; and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information. Therefore, after login request information is received, the login characteristic rules corresponding to the login request information are determined, so that the characteristic rules corresponding to different login components can be accurately identified, the login information to be detected can be accurately extracted, and therefore when weak password detection is carried out on the login information, weak passwords under various login components can be accurately identified, the detection rate of the weak passwords is improved, and meanwhile the misjudgment rate of the weak passwords is reduced.
In another embodiment of the present application, referring to fig. 2, a flowchart of another weak password detection method provided in the embodiment of the present application is shown. As shown in fig. 2, the method may include:
s201: and receiving login request information.
It should be noted that the description of the implementation process of step S201 is consistent with the description of the implementation process of step S101 in the previous embodiment, and this is not described again in this embodiment of the application.
S202: and identifying the login request information by using a preset identification rule, and determining the information of the component to be logged in.
S203: and determining the login characteristic rule corresponding to the information of the component to be logged in from a preset rule base based on the information of the component to be logged in.
Here, the preset rule base includes a plurality of types of login component information and login feature rules corresponding to the plurality of types of login component information. In some embodiments, the determining, from a preset rule base, the login feature rule corresponding to the component information to be logged in based on the component information to be logged in may include:
performing feature matching on the information of the component to be logged and the preset rule base;
and determining the login feature rule from the preset rule base according to the matching result.
It should be noted that, in the embodiment of the present application, after the login request information is received, the login request information may be identified by using a preset identification rule, so as to determine the information of the component to be logged in, and further determine a login feature rule corresponding to the login request information according to the information of the component to be logged in.
In an embodiment of the present application, the preset identification rule may include a Snort rule.
Here, Snort rule is a core module of Snort engine, and may perform feature recognition and extraction on some behaviors. In the embodiment of the present application, the login request information may be subjected to feature recognition by using Snort rules, and certainly, the login request information may also be subjected to feature recognition by using other recognition rules, which is not specifically limited in this embodiment. After identifying the information of the components to be logged in, matching the extracted information of the components to be logged in with a preset rule base in a Snort engine, wherein the preset rule base has various common login components and corresponding login characteristic rules, and can also contain user-defined login components and corresponding login characteristic rules. It should be further noted that the preset rule base belongs to a part of the Snort engine, and may also be referred to as performing feature matching through Snort rules to determine a login feature rule corresponding to the login request information.
Therefore, after the information of the component to be logged is determined, the information of the component to be logged can be matched with a preset rule base; if the match is successful, the corresponding login feature rules can be determined.
Further, in some embodiments, the preset rule base may include a first feature rule base and a second feature rule base; the first feature rule base represents a feature rule base corresponding to a common login component, and the second feature rule base represents a feature rule base of a predefined configuration corresponding to a non-common login component.
In particular, the first feature rule base represents a feature rule base corresponding to common login components, which may be Joomla, EYOUCMS, DedeCMS, DouPHP, and other common login components, without being limited to the examples set forth herein. For example, when the login component is Joomla, the login process of Joomla is completed jointly by components com _ user, plug-in/authentication/joint.php, plug-in/user/joint.php, and the like, when a user logs in, the user component starts to initiate a login authentication process after accepting a login request of the user, and the login request information may be a piece of program code, wherein the key points are $ options and $ createntials, the former records some client behaviors such as remembering me (remembeme), and returning the address, the latter is similar to an identity request token, and the token includes a user name and a password input by the user. It should be noted that, here, only the Joomla login component is taken as an example, and there are many common login components corresponding to different login feature rules.
The second feature rule base represents a feature rule base of a predefined configuration corresponding to a very common login component. For example, for some enterprises or companies, users do not log in by using a common login component when logging in, but an internal business login system or a private login component developed or purchased by the company, the login components are only used in the enterprise or the company or within a small range, and do not exist in the first feature rule base, at this time, the user can add the information of the unusual login components and the login feature rules of predefined configuration corresponding to the information into the second feature rule base by himself, and the user can update the information by himself or automatically update the information online, namely, the information of the internal business login system and the private login component and the login feature rules corresponding to the information are customized.
For example, when the company W manages the company system, the company W uses an internal business log-in system K developed by the company itself, and may also use a purchased private log-in component L, and sometimes uses some common log-in components. Thus, for company W, the internal business login system K and the private login component L and the corresponding login feature rules can be added to the second feature rule base. Therefore, when the employee logs in, the weak password detection device can firstly identify the login request information to determine the login component information, and then accurately extract the user name and the password according to the login characteristic rule corresponding to the current login component. In subsequent use, the second feature rule base may be automatically or manually updated if a new component is developed or purchased, or a new version of the logged component is updated.
Therefore, if the login component information is identified before the login information is extracted, the positions of the login information such as a user name and a password can be accurately known according to the login characteristic rule corresponding to the login component information, the login information can be accurately extracted, the corresponding password in a database can be found out according to the user name input by the user and matched with the user password, the login is successful if the matching is consistent, and the login is failed if the matching is inconsistent. Different login components have different login characteristic rules, when login request information is received, the login request information is subjected to characteristic extraction to determine the information of the component to be logged according to a preset identification rule, and the login characteristic rule corresponding to the login component information is further determined, so that the login information is accurately extracted from the login request information based on the login characteristic rules specific to the different login component information.
In the embodiment of the present application, the first feature rule base may be preset inside the weak password detection apparatus (or detection device). In some embodiments, for the first feature rule base, the method may further comprise: and updating the first characteristic rule base on line.
That is, due to the continuous development of the industry technology, more different types of components are developed; and the login components already contained in the first feature rule base are continuously updated to new versions. Thus, in embodiments of the present application, the first feature rule base also supports online updates.
In an embodiment of the present application, the online update to the first feature rule base includes an update to a login component information type and an update to a login feature rule type corresponding to the login component information. The update may be real-time, periodic or aperiodic, and this embodiment is not particularly limited thereto. For example, the first feature rule base originally contains information about M different types of login components, a company develops a new login component and is widely used, and when the new login component is detected during online update, the new login component information and the corresponding login feature rules are added into the first feature rule base for update. For another example, the login component information a originally existing in the first feature rule base is released with a new version a2.0 after a period of time, new login feature rules that did not exist in the previous step a are added to the new version a2.0, and when a new login feature rule in the previous step a2.0 is detected during online update, the new login feature rule is added to the first feature rule base for update. Of course, the updating of the first feature rule base is not limited to the examples listed here, and those skilled in the art may also take other means to update the first feature rule base.
S204: and extracting login information from the login request information based on the login characteristic rule.
It should be noted that different login component information corresponds to different login feature rules. Therefore, according to the login characteristic rule corresponding to the determined component information to be logged in, the login information can be accurately extracted from the login request information according to the login characteristic rule. Here, the login information may include at least: user name, password, source IP address, destination IP address, login time, etc. Generally, the login information generally refers to a user name and a password, but is not particularly limited.
S205: and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information.
In the embodiment of the present application, after the login information is extracted from the login request information, the login status may be determined based on the extracted login information, and the login status may be success or failure, or may even be other login statuses due to a network or the like. In the embodiment of the application, only when the login state is detected to be successful login, weak password detection is performed on the login information to determine whether a weak password exists in the login information. Specifically, the weak password detection of the login information is mainly to perform weak password detection on the password in the login information.
Further, in some embodiments, in case that the login status is detected as successful login, the method may further include:
writing the login information into an audit log table;
accordingly, the weak password detection on the login information may include:
starting an off-line detection process;
and acquiring the login information from the audit log table, and carrying out weak password detection on the login information by using a preset detection strategy.
It should be noted that, in the embodiment of the present application, after it is detected that the login state is successful, the login information is written into an audit log table, where the audit log table is used to store the login information that is successful in login. The login information stored in the audit log table at least comprises: the user name, the password, the login state, the source IP address, the destination IP address and other login information can be included, and the user name and the password are mainly used for weak password detection.
It should be further noted that, in this embodiment of the application, after the login information is written in the audit log table, the offline detection process may be started at regular time, for example, once every hour or every day, or may be started at irregular time, for example, when a preset number or a preset number range of login information is newly added in the audit log table, or may be started manually, for example, when an administrator considers necessary, the offline detection process is started manually. After the off-line detection process is started, weak password detection is performed on the login information by using a preset detection strategy, wherein weak password detection is mainly performed on the password in the login information.
Further, in some embodiments, the offline detection process primarily involves preprocessing and weak password detection.
It should be noted that, in the embodiment of the present application, the offline detection process first performs preprocessing on the acquired data, that is, performs data screening on the login information read from the audit log table, and acquires useful data for weak password detection, where the useful data mainly refers to a user name and a password. And then, carrying out weak password detection on the login information in an off-line detection process, wherein the weak password detection is to analyze and detect the collected data, and the weak password detection is mainly carried out on the password.
Further, in some embodiments, the preset detection policy includes a built-in weak password detection policy and a predefined weak password detection policy; wherein the content of the first and second substances,
the built-in weak password detection policy at least comprises one of the following items: a built-in password length detection strategy, a built-in character type detection strategy and a common component weak password dictionary matching detection strategy;
the predefined weak password detection policy includes at least one of: the method comprises the steps of presetting a password length detection strategy, presetting a character type detection strategy and presetting a weak password dictionary matching detection strategy.
It should be noted that, in the embodiment of the present application, for the built-in weak password detection policy, at least one of the following items is included: a built-in password length detection strategy, a built-in character type detection strategy and a common component weak password dictionary matching detection strategy.
Further, in some embodiments, the method may further comprise: and updating the built-in weak password detection strategy.
It should be noted that, in the embodiment of the present application, the built-in weak password detection policy may be preset inside the weak password detection apparatus (or detection device) and updated periodically or aperiodically, and the updating may include updating one or more policies of a built-in password length detection policy, a built-in character type detection policy, and a common component weak password dictionary matching detection policy, and a built-in weak password detection policy other than these policies.
It should be noted that when the password is too short, for example, when the password includes only four characters, the possibility of being cracked is relatively high. By the built-in password length detection strategy, weak passwords caused by the fact that the password length does not accord with the strategy can be detected. For example, a length threshold or a length interval may be set, and when the password length is smaller than the threshold or not in the interval, the password strength is weak. Examples are as follows: when the built-in password length detection strategy specifies that the password length should be more than or equal to 6 characters, a password A24b is detected, and the password only contains four characters, namely the password length is too short, so that the possibility of cracking is high, and the password can be determined to be a weak password according to the built-in password length detection strategy. It should be noted that, with the development of the industry technology, the password cracking means will be more advanced, and it is possible that it is relatively safe to originally set the character length to 6 characters, but in some cases, the character length to 6 characters may no longer be safe, so the built-in password length detection policy will be updated based on the actual situation, and the updating may be real-time, regular or irregular.
It should be noted that the possibility that a password with a single character type is cracked is relatively high. The password which is easy to crack and is caused by single character type can be detected through the built-in character type detection strategy. For example, the character type of the password may be limited, such as the password includes at least S characters (S is an integer greater than 1), or the password includes at least some of capital letters, lowercase letters, numbers, symbols, and the like. If the character type of the password does not meet the requirement, the password is weak in strength and easy to crack, and the password is possibly a weak password. For example, when the built-in character type detection policy is that the specified character type is not less than 3 and includes at least uppercase letters and lowercase letters, a password FGH17895, which includes only uppercase letters and numeric characters and does not include lowercase letters, is detected, and the built-in character type detection policy is not met, and it may be determined that the password is a weak password according to the built-in character type detection policy. It should be noted that, with the development of the industry technology, the password cracking means will be more advanced, and it is possible that the original character type is 3 characters, which are relatively safe, but in some cases, the character type is 3 characters, which may no longer be safe, so the built-in character type detection strategy will be updated according to the actual situation, and the updating may be real-time, regular or irregular.
It should be noted that some users often choose simple or regularly following passwords, such as "123456", "ABCDEF", "8888888", etc., or passwords like "ZXCVBN" which, though seemingly irregular, are actually arranged in the order of english keyboard, and these passwords are easy to guess or break. Some hackers try to log in the account for many times by using the weak password dictionary until trying out a correct password (namely 'brute force cracking'), the password which is easy to crack violently can be detected by a built-in common component weak password dictionary matching detection strategy, the password to be detected is matched with the preset common component weak password dictionary, and if matching is successful, the password is a weak password. The common component weak password dictionary can be composed of weak passwords acquired from the internet and other channels, passwords found in explosion detection and other common weak passwords, and the common component weak password dictionary can be updated in real time or at regular time or irregular time, for example, when an account is detected to log in and fails to log in, a user may miss a password at the moment, but a hacker or malicious software may crack the account violently, if the account is detected to be cracked violently, the detected password is used for cracking the account at the moment, if a user adopts the password as a login password, the password is easy to crack, at the moment, if the password does not exist in the common component weak password dictionary, the password is added into the common component weak password dictionary, and for example, if a new weak password appears on the internet, the weak password in the common component weak password dictionary is also added into the common component weak password dictionary, of course, there are various ways to update the common component weak password dictionary, which are not limited to the examples listed in the embodiments of the present application, and as long as the weak password detection apparatus detects a weak password that is not present in the common component weak password dictionary, a new weak password is added to update the common component weak password dictionary.
In addition, the weak password detection device can also be internally provided with a password complexity detection strategy, for example, the password complexity detection strategy specifies that continuous letters or numbers or passwords same as user names are weak passwords.
It should be noted that, in the embodiment of the present application, weak password detection may be performed on a password simultaneously through several built-in weak password detection strategies, or weak password detection may be performed on a password only through one or several built-in weak password detection strategies, which is not specifically limited in this embodiment of the present application.
It should be noted that, in the embodiment of the present application, for the predefined weak password detection policy, at least one of the following items is included: the method comprises the steps of presetting a password length detection strategy, presetting a character type detection strategy and presetting a weak password dictionary matching detection strategy.
The preset password length detection strategy is similar to the preset character type detection strategy and the built-in password length detection strategy and the built-in character type detection strategy in the built-in weak password detection strategy, and the preset password length detection strategy and the built-in weak password detection strategy are mainly specifically set by the user according to the actual requirements of the user, and are not described herein again.
The preset weak password dictionary matching detection strategy is user-defined, and the preset weak password dictionary can comprise a weak password input by a user or a weak password dictionary generated according to a rule specified by the user; for example: a company's telephone number is a string of 8-digit and non-consecutive digits, and it may not be easy for someone other than the company to set the telephone number as a password, but it is easy for employees of the company to break if the telephone number is set as a password directly or if their name + the telephone number is set as a password. Therefore, the preset weak password dictionary is generally used for adding a password which is easy to crack by a user according to the actual situation of the user, for example, the user can directly add information such as name pinyin or initials, telephone numbers, public telephone numbers, company name pinyin or initials of employees and the like as the weak password into the preset weak password dictionary, or can combine the information with a program to generate the weak password to be added into the weak password dictionary. Similarly, the preset weak password dictionary also supports real-time or regular or irregular updating, and a user can directly and manually add a new weak password or generate a new weak password to the preset weak password dictionary by combining the situation of the user. For example, when a new employee enters the office, the information of the new employee is entered by an internal system of the company (the system includes the weak password detection device according to the embodiment of the present application), and when the information of the new employee, such as name, birthday, telephone number, etc., is detected, a weak password which is easy to crack can be generated according to the information and added to the preset weak password dictionary; of course, the user may add a new weak password to the preset weak password dictionary by way of manual addition, which is not limited in this embodiment.
In addition, the user can also customize a preset password complexity detection strategy, for example, the password complexity detection strategy specifies continuous letters or numbers as weak passwords.
It should be noted that, in the embodiment of the present application, the weak password detection may be performed on the password through several predefined weak password detection policies at the same time, or may be performed on the password only through one or several predefined weak password detection policies, which is not specifically limited in this embodiment of the present application.
It should be noted that, in the embodiment of the present application, the weak password detection may be performed on the password simultaneously by using a built-in weak password detection policy and a predefined weak password detection policy, or only one of the weak password detection policies may be selected to perform the weak password detection on the password, which is not specifically limited in the embodiment of the present application. For example, some users do not set a preset predefined weak password detection policy, and only need to perform weak password detection according to the built-in weak password detection policy.
Further, in some embodiments, the login information includes a user name and a password, and after the obtaining the login information from the audit log table, the method may further include:
and carrying out privileged account identification on the login information, and determining whether the user name is a privileged account.
It should be noted that, in the embodiment of the present application, when performing weak password detection, the login information may include at least a user name and a password.
It should be further noted that the privileged account is often an account with a higher operation authority, and the privileged account may be a system account with a high-level authority, such as system maintenance, authority increase, data modification deletion export and the like, which are given to people such as related business operation, system management, system operation and maintenance and the like in the enterprise operation process.
Further, in some embodiments, a method for identifying a privileged account may include: the user name in the login information is identified.
The privileged account usually has a special user name, such as root, admin, DBA, etc., and if such a user name is detected, it is very likely that the account is a privileged account. Of course, the privileged account may also be a user-defined privileged account username. Here, the privileged account may be various, and is not limited to the several categories listed in the embodiment. In addition, the privileged account may also be identified by other methods, which is not specifically limited in this embodiment of the application.
S206: after weak password detection is carried out on the login information, if the fact that a weak password exists in the login information is determined, the login information is stored in a preset safety log table in a safety log format.
It should be noted that, in the embodiment of the present application, when it is determined that a weak password exists in login information, the login information is stored in a preset security log table in a security log format. Here, the contents stored in the preset security log table include at least: a password with a weak password is detected, and a user name corresponding to the password. Therefore, the login information with the weak password is stored in the preset safety log table, so that the login information is convenient for an administrator to check, and the account with the weak password is dulled in time.
In some embodiments, after weak password detection of the login information, the method may further comprise:
if the fact that the weak password exists in the login information is determined, early warning information is sent; the early warning information is used for prompting a user that the login information has a weak password risk.
It should be noted that, in the embodiment of the present application, if it is detected that a weak password exists in the login information, at this time, early warning information may be sent to prompt an administrator or a user that the login information has a risk of the weak password, so that the administrator or the user may change a password in time or take other security measures.
Further, in some embodiments, when it is determined that the user name is a privileged account, the method may further include:
and if the password is detected to be a weak password, marking the user name and the password in a preset safety log table.
It should be noted that, in the embodiment of the present application, as described above, a privileged account is an important account, and if there is a risk of a weak password, a large hazard may be brought. Therefore, when a certain account is detected to be a privileged account and the corresponding password is a weak password, the privileged account is marked and displayed in a way of being distinguished from other accounts when the privileged account is stored in a preset security log table. Here, the marking may be performed by adding a label, may also be performed by highlighting a color, and may even be performed by marking in different fonts or in different font sizes, which is not specifically limited in this embodiment of the application.
Therefore, the method and the device can quickly find the weak password risk of the important account in massive data, and accordingly protective measures can be made in a targeted mode. Specifically, a page can be set in a preset security log table for displaying the privileged account with the weak password, or a label, a text highlight and the like are added to the privileged account with the weak password; the privileged account may also be bracketed and marked after the user name of the privileged account with the weak password, and correspondingly, the ordinary account may also be bracketed and marked after the user name of the ordinary account with the weak password, which is not specifically limited in this embodiment.
Because the privileged account is important, in some embodiments, when the user name is determined to be the privileged account, a reminding message can be directly sent to the administrator, and the reminding message is used for informing the administrator that the privileged account has a weak password risk, so that the administrator can immediately complete the account, and the account safety is better ensured.
The embodiment of the application provides a weak password detection method, and the specific implementation process of the embodiment is elaborated in detail through the embodiment. The login request information is identified by the preset rules, so that the information of the component to be logged in is determined, the login information can be accurately extracted from the login request information on the basis of the login characteristic rules corresponding to the information of the component to be logged in, only when the login is successful, the login information is logged into an audit log table, weak password detection is carried out on the login information by the aid of the preset detection strategy, and meanwhile, offline detection also supports identification of privileged accounts. Therefore, the weak passwords of different login components are accurately detected, and the detection rate of the weak passwords is improved.
In another embodiment of the present application, refer to fig. 3, which shows a schematic structural diagram of a weak password detection system provided in an embodiment of the present application. As shown in FIG. 3, the weak password detection system may include four processes, respectively: an agent process 301, a log processing process 302, a database process 303, and an offline detection process 304.
In the embodiment of the present application, login information audit is performed in the proxy process 301, and login feature rule matching is performed on HTTP data by using a Snort rule. Firstly, matching the login characteristic rule in the request direction, extracting a user name and a password after matching the login characteristic rule, and caching the user name and the password on a current link. And then matching in the response direction to obtain the login state and judge whether the login is successful. At this time, the request direction and the response direction of one link can be associated, and the information of the login user name, the password, whether the login is successful and the like can be audited.
The log processing process 302 is mainly configured to receive an audit log, where the audit log includes information such as a user name, a password, a source IP address, and a destination IP address. Weak password detection is mainly used to user names and passwords. The off-line detection process is pulled up regularly to complete the weak password detection.
The database process 303 is mainly used for storing an audit log table in which an audit log of login information is recorded and a security log table in which a security log of a weak password detection result is recorded.
The offline inspection process 304 mainly includes preprocessing and inspection. Preprocessing, namely, screening data of the audit log, and collecting useful data so as to detect the weak password. And the detection is to analyze and detect the collected data.
Here, the preset detection strategy may include two major categories: a built-in weak password detection policy and a predefined weak password detection policy. The built-in weak password detection strategy comprises the following steps: a built-in password length detection strategy, a built-in character type detection strategy, a common component weak password dictionary matching detection strategy and the like; the predefined weak password detection strategy comprises a preset password length detection strategy, a preset character type detection strategy, a preset weak password dictionary matching detection strategy and the like.
In addition, in the embodiment of the application, the offline detection can also support the identification of privileged accounts such as root and admin.
The log processing process 302 is further configured to receive the security log, perform offline detection on login information in the audit log table, and after detecting a weak password, adapt a detection result to a security log format and record the detection result in the security log table in the database process 303.
The workflow of each process of the weak password detection system provided by the embodiment of the present application is described in detail below with reference to fig. 3.
As shown in fig. 3, the proxy process 301 may correspond to steps S3011 to S3018, and specifically as follows:
s3011: and acquiring a request direction message.
It should be noted that, the weak password detection method provided in the embodiment of the present application may be implemented based on an http (hypertext transfer protocol), which is a simple request-response protocol and generally operates on TCP, during the process of logging in by the user. It specifies what messages the client may send to the server and what responses to get. In the embodiment of the application, the login request is initiated in the requesting direction.
S3012: it is determined whether the rule is hit.
Here, with respect to step S302, if the determination result is yes, step S303 is performed; if the judgment result is no, the login process is ended, and step S301 is executed again.
It should be noted that, in the embodiment of the present application, after the request direction packet is obtained, feature matching needs to be performed on the request direction packet information. Here, by using the Snort engine, after login feature matching is performed on the request direction message, the corresponding login feature rule can be determined, that is, the login component of the login request is determined, wherein the login component comprises built-in common login components, such as Joomla, EYOUCMS, DedeCMS, DouPHP and the like; user-customized login components may also be included, such as: internal business login systems, private login components, and the like. Wherein, the common login component is an existing and commonly used login component; the custom login component may be a user-defined login component or a private login component that is used only within certain enterprises.
Additionally, common login components support online updates. For example, when a new login component appears or a new login feature rule appears in the login component, that is, the online update includes updates of the login component and the login feature rule, the updates may be periodic or aperiodic, which is not limited in this embodiment. The user-defined login component is mainly an internal or private login component of the user, and is mainly updated actively by the user, and the updating may be regular or irregular, which is not specifically limited in this embodiment.
S3013: a user name and password are extracted.
It should be noted that, in this embodiment of the application, in step S302, after performing rule matching on the request direction packet, the login feature rule is determined, and according to different login feature rules, the user name and the password can be accurately extracted from the request direction packet.
It should be noted that, extracting the login information, such as the user name and the password, directly from the request direction message may result in that the login information cannot be extracted or that the wrong login information is extracted. In the embodiment of the application, because different login components have different login characteristic rules, the rule matching can be performed on the request direction message, the login component information is determined only after the rule is hit, and then the login information such as the user name and the password is extracted based on the login characteristic rule corresponding to the login component information, so that the accuracy of user name and password extraction is improved.
Note that there is a case: if the Snort rule does not match the user name and password, then an attempt is made to resolve the login parameters in a Basic authentication manner, and the result of matching the Basic authentication is used as the login state. Basic authentication is an HTTP authentication mode, and a client performs Basic 64 encoding on a user name and a password and then transmits the user name and the password to a server for authentication through an Authorization header. That is, if the Basic authentication method is adopted, when the user name and the password are extracted based on Snort rule, the user name and the password may not be matched, because the Basic authentication is to perform Base64 encoding on the user name and the password, at this time, decoding is required to be performed first, and login authentication is performed based on the Basic authentication method.
S3014: the username and password are cached.
It should be noted that, in the embodiment of the present application, after the user name and the password are extracted, the user name and the password may be cached on the current link. It will be appreciated that during the login process, there may be many users logged in at the same time, and then the latter data will overwrite the former data. In this embodiment, the login information needs to be audited, so the user name and the password are cached on the current link first, so that the login information can be audited after the login state is confirmed subsequently.
S3015: and acquiring a response direction message.
S3016: the login status is detected.
It should be noted that, in the embodiment of the present application, after the login user name and the password are extracted from the request direction, feature matching needs to be performed in the response direction to obtain the login state, and if the response direction is also successfully matched, it is indicated that there is a login requirement, the login state may be detected to determine whether the login is successful.
S3017: and judging whether the login is successful.
S3018: and generating an audit log.
It should be noted that, in the embodiment of the present application, if a correct user name and password are extracted in the request direction, this time indicating that login is successful, that is, the determination result is yes, step S3018 is executed; otherwise, it indicates that the login is failed, i.e. the determination result is no, then the process returns to step S3011.
It should be further noted that, when the login is successful, the login information is audited, and an audit log is generated, where the audit log includes the login information that the login is successful. The login information may include: username, password, and login status information. When the login fails, the login process is ended, and step S3011 is executed again.
It should be noted that Snort feature matching may have misjudgment, and the solution here is that one audit needs to associate request direction feature and response direction feature. Only after the request direction is matched with the login user name and the password, the login state is matched/detected in the response direction, and the audit is performed on the condition that the two directions are matched. That is, there is a case where the user name and the password are detected to be correct, but the login is not required or the response direction is not matched, and only when the user name and the password are extracted from the request direction and the login status is determined to be successful login by the response direction, the detection result is logged in the audit log table. Therefore, only when the request direction and the response direction are successfully matched and the login state is determined to be successful in login, the login information is audited, the detection rate is improved, and the pressure of the website is reduced.
As shown in fig. 3, the log processing procedure 302 may correspond to steps S3021 to S3022, specifically as follows:
s3021: a log is received.
S3022: and writing into the database.
Note that in this step, the log processing process 302 is mainly used for writing the audit log. That is, when the agent process 301 audits the login information that the login is successful, an audit log is generated, and the log processing process 302 receives the audit log and writes the audit log into the database.
As shown in fig. 3, after receiving the audit log, the log processing process 302 stores the audit log in an audit log table in the database process 303. Here, database process 303 stores an audit log table and a security log table. The audit log table is used for recording login information of successful login, and the safety log table is used for recording login information with weak passwords.
It should be noted that, in the embodiment of the present application, the data detected by the offline detection process comes from an audit log table audited by the agent process. When the weak password is detected, the off-line detection process firstly reads the audit log table and obtains the login information recorded in the audit log table.
As shown in fig. 3, after the offline inspection process 304 reads the audit log table from the database process 303, the offline inspection process 304 mainly includes the following steps:
s3041: and pulling up the timing task.
S3042: weak password detection is performed.
S3043: the detection function is distributed according to the protocol.
It should be noted that, in the embodiment of the present application, the offline detection process is pulled up periodically to complete the weak password detection. For example: the measurement is performed once per hour or once per day, which is not particularly limited in this embodiment. The offline inspection may mainly include preprocessing and inspection. Preprocessing, namely, screening the login information recorded in the audit log table to acquire useful data so as to detect the weak password. And the detection is to analyze and detect the collected data. Where useful data primarily refers to usernames and passwords, while detection is typically referred to as weak password detection and primarily for passwords.
It should be further noted that, in the embodiment of the present application, the detection policy for detecting the password may include two types: a built-in weak password detection policy and a predefined weak password detection policy. The built-in weak password detection policy may be system preset, and the predefined weak password detection policy may be set by a user.
Wherein the built-in detection policy may include: a built-in password length detection strategy, a built-in character type detection strategy, a common component weak password dictionary matching detection strategy and the like. The implementation process is similar to that of the previous embodiment, and is not described herein again.
The predefined weak password detection policy may include: a preset password length detection strategy, a preset character type detection strategy, a preset weak password dictionary matching detection strategy and the like. The implementation process is similar to that of the previous embodiment, and is not described herein again.
In this way, the password information which is successfully logged in is subjected to weak password detection based on a preset detection strategy. It should be noted that different protocols may need to adopt different detection functions during detection, so that the detection functions need to be distributed according to the protocols, and in the embodiment of the present application, the detection functions may be divided into other protocols and HTTP protocols; if the HTTP protocol is adopted, HTTP detection is carried out; if other protocols are used, other protocol checks are performed, such as SMD protocol checks, RDP protocol checks, etc.
In addition, offline detection may also support the identification of privileged accounts, such as root accounts and admin accounts. Because the privileged account is different from the ordinary account and usually has higher authority, if the privileged account has a weak password and is cracked, more troubles and losses are usually brought. In the off-line detection link, when weak password detection is performed, privileged account identification is also performed, and the identification method can be as follows: and identifying the user name, the login name root, admin and the like of the privileged account, and the privileged account specified by the user. In this way, if a user name that may be a privileged account is identified by offline detection and a password corresponding to the user name is a weak password, the privileged account having the weak password is marked or individually displayed in a security log, or is otherwise distinguished from a common account, which is not specifically limited in this embodiment.
S3044: a security log is generated.
In the embodiment of the present application, when a weak password is detected, a security log is generated based on the detection result. The security log may include, among other things, the detected weak password and the corresponding username. In addition, when the weak password is detected, the weak password risk can be reminded by alarming, for example, sending alarm information to an administrator.
As shown in fig. 3, the log processing process 302 receives the security log and stores the security log in a security log table in the database process 303.
That is to say, the database process module 303 at least includes an audit log table and a security log table, where the audit log recorded in the audit log table mainly includes login information of successful login, and the audit log is used to provide data to be detected for the offline detection process. The safety log recorded in the safety log table mainly comprises login information with a weak password, so that when a manager looks up the safety log, the manager can find the hidden danger of the weak password in time and perform corresponding processing.
The embodiment of the application adopts the common login component with the login interface, such as: joomla, EYOUCMS, DedevMS, DouPHP and the like extract login characteristic rules, a Snort engine is used for carrying out rule matching on HTTP requests and responses, login information is audited, weak passwords are detected, and accurate detection of the weak password login of different login components is achieved. Meanwhile, support in the expansibility: the first feature rule base corresponding to the common login component supports dynamic updating, and the second feature rule base corresponding to the common login component (such as an internal business login system, a private login component and the like) supports customization.
Through the above embodiments, specific implementations of the foregoing embodiments are explained in detail, and it can be seen that: according to the scheme, detection is implemented on the firewall, a large number of Web systems exist in the firewall environment, various login components exist, and the login system in user services can be well protected. The first characteristic rule base which is arranged in the scheme and represents the characteristic rule base corresponding to the common login component supports online updating. Different login features may exist for different login components, and the components of the Web system are updated frequently. The online updating can reduce the maintenance cost and quickly improve the detection capability. The scheme supports the user to configure the login characteristic rule in a user-defined mode for the unusual login components, effectively covers the user private business system scene, and protects the safety of the user intranet Web system. The scheme also supports the identification of privileged accounts, can help users quickly find the weak password risk of important accounts in massive security logs, and makes protective measures in a targeted manner.
Referring to fig. 4, a schematic structural diagram of a weak password detection apparatus 40 according to another embodiment of the present application is shown. As shown in fig. 4, the weak password detection apparatus 40 may include: a receiving unit 401, a determining unit 402, an extracting unit 403, and a detecting unit 404; wherein the content of the first and second substances,
a receiving unit 401 configured to receive login request information;
a determining unit 402 configured to determine a login feature rule corresponding to the login request information;
an extracting unit 403 configured to extract login information from the login request information based on the login feature rule;
a detecting unit 404 configured to perform weak password detection on the login information to determine whether a weak password exists in the login information when the login state is detected as successful login.
In some embodiments, the determining unit 402 is further configured to identify the login request information by using a preset identification rule, and determine the information of the component to be logged; determining the login characteristic rule corresponding to the information of the component to be logged in from a preset rule base based on the information of the component to be logged in; the preset rule base comprises various login component information and login characteristic rules corresponding to the various login component information.
In some embodiments, the determining unit 402 is further configured to perform feature matching on the information of the component to be logged and the preset rule base; and determining the login feature rule from the preset rule base according to the matching result.
In some embodiments, the preset identification rule comprises a Snort rule.
In some embodiments, the preset rule base further comprises a first feature rule base and a second feature rule base; the first feature rule base represents a feature rule base corresponding to a common login component, and the second feature rule base represents a feature rule base of a predefined configuration corresponding to a non-common login component.
In some embodiments, referring to fig. 5, the weak password detection apparatus 40 may further include an updating unit 405 configured to perform online updating on the first feature rule base.
In some embodiments, referring to fig. 5, the weak password detection apparatus 40 may further include a storage unit 406 configured to store the login information in a security log format to a preset security log table if it is determined that the weak password exists in the login information.
In some embodiments, the storage unit 406 is further configured to, in a case that the login status is detected to be successful login, write the login information into the audit log table;
the detecting unit 404 is further configured to start an offline detection process; and acquiring the login information from the audit log table, and carrying out weak password detection on the login information by using a preset detection strategy.
In some embodiments, the login information includes a user name and a password, and the detecting unit 404 is further configured to perform privileged account identification on the login information, and determine whether the user name is a privileged account.
In some embodiments, the detecting unit 404 is further configured to, when it is determined that the user name is a privileged account, mark the user name and the password in a preset security log table if it is detected that the password is a weak password.
In some embodiments, the built-in weak password detection policy includes at least one of: a built-in password length detection strategy, a built-in character type detection strategy and a common component weak password dictionary matching detection strategy; the predefined weak password detection policy includes at least one of: the method comprises the steps of presetting a password length detection strategy, presetting a character type detection strategy and presetting a weak password dictionary matching detection strategy.
In some embodiments, referring to fig. 5, the weak password detection apparatus 40 may further include an early warning unit 407 configured to send early warning information if it is determined that a weak password exists in the login information; the early warning information is used for prompting a user that the login information has a weak password risk.
It is understood that in this embodiment, a "unit" may be a part of a circuit, a part of a processor, a part of a program or software, etc., and may also be a module, or may also be non-modular. Moreover, each component in the embodiment may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware or a form of a software functional module.
Based on the understanding that the technical solution of the present embodiment essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the method of the present embodiment. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Accordingly, the present embodiments provide a computer storage medium storing a weak password detection program that, when executed by at least one processor, implements the steps of the method of any of the preceding embodiments.
Based on the above-mentioned composition of the weak password detection apparatus 40 and the computer storage medium, refer to fig. 6, which shows a specific hardware structure diagram of a weak password detection apparatus 40 provided in an embodiment of the present application. As shown in fig. 6, may include: a communication interface 501, a memory 502, and a processor 503; the various components are coupled together by a bus system 504. It is understood that the bus system 504 is used to enable communications among the components. The bus system 504 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 504 in fig. 6. The communication interface 501 is used for receiving and sending signals in the process of receiving and sending information with other external network elements;
a memory 502 for storing a computer program capable of running on the processor 503;
a processor 503 for executing, when running the computer program, the following:
receiving login request information;
determining a login characteristic rule corresponding to the login request information;
extracting login information from the login request information based on the login characteristic rule;
and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information.
It will be appreciated that the memory 502 in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of example, but not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic random access memory (ddr Data Rate SDRAM, ddr SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchronous chained SDRAM (Synchronous link DRAM, SLDRAM), and Direct memory bus RAM (DRRAM). The memory 502 of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
And the processor 503 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 503. The Processor 503 may be a general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 502, and the processor 503 reads the information in the memory 502 and completes the steps of the above method in combination with the hardware thereof.
It is to be understood that the embodiments described herein may be implemented in hardware, software, firmware, middleware, microcode, or any combination thereof. For a hardware implementation, the Processing units may be implemented within one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro-controllers, microprocessors, other electronic units configured to perform the functions described herein, or a combination thereof.
For a software implementation, the techniques described herein may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions described herein. The software codes may be stored in a memory and executed by a processor. The memory may be implemented within the processor or external to the processor.
Optionally, as another embodiment, the processor 503 is further configured to perform the steps of the method of any one of the preceding embodiments when running the computer program.
Based on the composition of the weak password detection apparatus 40 and the hardware structure diagram, refer to fig. 7, which shows a composition structure diagram of a detection device 60 provided in an embodiment of the present application. As shown in fig. 7, the detection device 60 comprises at least the weak password detection apparatus 40 of any of the previous embodiments.
For the detection device 60, after the login request information is received, the login feature rules corresponding to the login request information are determined, so that the feature rules corresponding to different login components can be accurately identified, the login information to be detected can be accurately extracted, and therefore, when weak passwords are detected on the login information, the weak passwords under various login components can be accurately identified, the detection rate of the weak passwords is improved, and meanwhile, the misjudgment rate of the weak passwords is reduced.
The above description is only a preferred embodiment of the present application, and is not intended to limit the scope of the present application.
It should be noted that, in the present application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to obtain new method embodiments.
Features disclosed in several of the product embodiments provided in the present application may be combined in any combination to yield new product embodiments without conflict.
The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (15)
1. A weak password detection method, the method comprising:
receiving login request information;
determining a login characteristic rule corresponding to the login request information;
extracting login information from the login request information based on the login characteristic rule;
and if the login state is detected to be successful login, weak password detection is carried out on the login information to determine whether a weak password exists in the login information.
2. The method according to claim 1, wherein the determining the login feature rule corresponding to the login request information comprises:
identifying the login request information by using a preset identification rule, and determining the information of the component to be logged in;
determining the login characteristic rule corresponding to the information of the component to be logged in from a preset rule base based on the information of the component to be logged in; the preset rule base comprises various login component information and login characteristic rules corresponding to the various login component information.
3. The method according to claim 2, wherein the determining the login feature rule corresponding to the component information to be logged from a preset rule base based on the component information to be logged comprises:
performing feature matching on the information of the component to be logged and the preset rule base;
and determining the login feature rule from the preset rule base according to the matching result.
4. The method of claim 2, wherein the preset identification rules comprise Snort rules.
5. The method of claim 2, wherein the preset rule base comprises a first feature rule base and a second feature rule base; the first feature rule base represents a feature rule base corresponding to a common login component, and the second feature rule base represents a feature rule base of a predefined configuration corresponding to a non-common login component.
6. The method of claim 5, further comprising:
and updating the first characteristic rule base on line.
7. The method of claim 1, wherein after the weak password detection of the login information, the method further comprises:
and if the weak password exists in the login information, storing the login information into a preset safety log table in a safety log format.
8. The method of claim 1, wherein in the event that the login status is detected as successful login, the method further comprises:
writing the login information into an audit log table;
correspondingly, the weak password detection on the login information includes:
starting an off-line detection process;
and acquiring the login information from the audit log table, and carrying out weak password detection on the login information by using a preset detection strategy.
9. The method of claim 8, wherein the login information comprises a user name and a password, and wherein after the obtaining the login information from the audit log table, the method further comprises:
and carrying out privileged account identification on the login information, and determining whether the user name is a privileged account.
10. The method of claim 9, wherein when it is determined that the user name is a privileged account, the method further comprises:
and if the password is detected to be a weak password, marking the user name and the password in a preset safety log table.
11. The method of claim 8, wherein the preset detection policy comprises a built-in weak password detection policy and a predefined weak password detection policy; wherein the content of the first and second substances,
the built-in weak password detection policy at least comprises one of the following items: a built-in password length detection strategy, a built-in character type detection strategy and a common component weak password dictionary matching detection strategy;
the predefined weak password detection policy includes at least one of: the method comprises the steps of presetting a password length detection strategy, presetting a character type detection strategy and presetting a weak password dictionary matching detection strategy.
12. A weak password detection apparatus, characterized in that the weak password detection apparatus comprises: the device comprises a receiving unit, a determining unit, an extracting unit and a detecting unit; wherein
The receiving unit is configured to receive login request information;
the determining unit is configured to determine a login feature rule corresponding to the login request information;
the extraction unit is configured to extract login information from the login request information based on the login feature rule;
the detection unit is configured to perform weak password detection on the login information to determine whether a weak password exists in the login information when the login state is detected to be successful login.
13. A weak password detection apparatus, characterized in that the weak password detection apparatus comprises: a memory and a processor; wherein the content of the first and second substances,
the memory for storing a computer program operable on the processor;
the processor, when running the computer program, is configured to perform the weak password detection method of any of claims 1 to 11.
14. A computer storage medium storing a weak password detection program that when executed by at least one processor implements a weak password detection method as claimed in any one of claims 1 to 11.
15. A detection device, characterized in that it comprises at least a weak password detection apparatus as claimed in claim 12 or 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110013122.4A CN112613029A (en) | 2021-01-06 | 2021-01-06 | Weak password detection method and device, computer storage medium and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110013122.4A CN112613029A (en) | 2021-01-06 | 2021-01-06 | Weak password detection method and device, computer storage medium and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112613029A true CN112613029A (en) | 2021-04-06 |
Family
ID=75254004
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110013122.4A Pending CN112613029A (en) | 2021-01-06 | 2021-01-06 | Weak password detection method and device, computer storage medium and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112613029A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113852637A (en) * | 2021-09-28 | 2021-12-28 | 全球能源互联网研究院有限公司 | Weak password detection method and device and electronic equipment |
| CN114006773A (en) * | 2021-12-31 | 2022-02-01 | 北京微步在线科技有限公司 | Weak password judgment method, device, equipment and storage medium |
| CN114553561A (en) * | 2022-02-25 | 2022-05-27 | 北京华云安信息技术有限公司 | Weak password efficient detection method and device, electronic equipment and storage medium |
| CN116611046A (en) * | 2023-06-05 | 2023-08-18 | 武汉思普崚技术有限公司 | Method, device and system for processing weak password based on SOAR |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701805A (en) * | 2013-12-26 | 2014-04-02 | 山石网科通信技术有限公司 | Method and device for detecting weak password in network |
| CN107196899A (en) * | 2017-03-21 | 2017-09-22 | 北京神州泰岳软件股份有限公司 | Equipment weak passwurd management method and device |
| CN107679397A (en) * | 2017-10-23 | 2018-02-09 | 郑州云海信息技术有限公司 | The weak passwurd detecting system and method for a kind of Linux system |
| CN109361518A (en) * | 2018-10-16 | 2019-02-19 | 杭州安恒信息技术股份有限公司 | A kind of weak passwurd detection method, device and computer readable storage medium |
| CN109471865A (en) * | 2018-11-06 | 2019-03-15 | 用友网络科技股份有限公司 | A kind of off-line data management method, system, server and storage medium |
| CN109583199A (en) * | 2018-12-18 | 2019-04-05 | 郑州云海信息技术有限公司 | A kind of access auditing method, system, equipment and the medium of storage management system |
| CN110365637A (en) * | 2019-05-27 | 2019-10-22 | 平安银行股份有限公司 | Internetbank login detecting method, device, electronic equipment and storage medium |
| CN111385272A (en) * | 2018-12-29 | 2020-07-07 | 北京奇虎科技有限公司 | Weak password detection method and device |
| CN111447204A (en) * | 2020-03-24 | 2020-07-24 | 深信服科技股份有限公司 | Weak password detection method, device, equipment and medium |
| CN112163215A (en) * | 2020-10-14 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Weak password detection method and device and computer equipment |
-
2021
- 2021-01-06 CN CN202110013122.4A patent/CN112613029A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701805A (en) * | 2013-12-26 | 2014-04-02 | 山石网科通信技术有限公司 | Method and device for detecting weak password in network |
| CN107196899A (en) * | 2017-03-21 | 2017-09-22 | 北京神州泰岳软件股份有限公司 | Equipment weak passwurd management method and device |
| CN107679397A (en) * | 2017-10-23 | 2018-02-09 | 郑州云海信息技术有限公司 | The weak passwurd detecting system and method for a kind of Linux system |
| CN109361518A (en) * | 2018-10-16 | 2019-02-19 | 杭州安恒信息技术股份有限公司 | A kind of weak passwurd detection method, device and computer readable storage medium |
| CN109471865A (en) * | 2018-11-06 | 2019-03-15 | 用友网络科技股份有限公司 | A kind of off-line data management method, system, server and storage medium |
| CN109583199A (en) * | 2018-12-18 | 2019-04-05 | 郑州云海信息技术有限公司 | A kind of access auditing method, system, equipment and the medium of storage management system |
| CN111385272A (en) * | 2018-12-29 | 2020-07-07 | 北京奇虎科技有限公司 | Weak password detection method and device |
| CN110365637A (en) * | 2019-05-27 | 2019-10-22 | 平安银行股份有限公司 | Internetbank login detecting method, device, electronic equipment and storage medium |
| CN111447204A (en) * | 2020-03-24 | 2020-07-24 | 深信服科技股份有限公司 | Weak password detection method, device, equipment and medium |
| CN112163215A (en) * | 2020-10-14 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Weak password detection method and device and computer equipment |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113852637A (en) * | 2021-09-28 | 2021-12-28 | 全球能源互联网研究院有限公司 | Weak password detection method and device and electronic equipment |
| CN114006773A (en) * | 2021-12-31 | 2022-02-01 | 北京微步在线科技有限公司 | Weak password judgment method, device, equipment and storage medium |
| CN114553561A (en) * | 2022-02-25 | 2022-05-27 | 北京华云安信息技术有限公司 | Weak password efficient detection method and device, electronic equipment and storage medium |
| CN114553561B (en) * | 2022-02-25 | 2023-12-15 | 北京华云安信息技术有限公司 | Weak password efficient detection method and device, electronic equipment and storage medium |
| CN116611046A (en) * | 2023-06-05 | 2023-08-18 | 武汉思普崚技术有限公司 | Method, device and system for processing weak password based on SOAR |
| CN116611046B (en) * | 2023-06-05 | 2024-04-09 | 武汉思普崚技术有限公司 | Method, device and system for processing weak password based on SOAR |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210058354A1 (en) | Determining Authenticity of Reported User Action in Cybersecurity Risk Assessment | |
| US11552993B2 (en) | Automated collection of branded training data for security awareness training | |
| CN112613029A (en) | Weak password detection method and device, computer storage medium and equipment | |
| CN112567710B (en) | System and method for contaminating phishing campaign responses | |
| US9912687B1 (en) | Advanced processing of electronic messages with attachments in a cybersecurity system | |
| US10721271B2 (en) | System and method for detecting phishing web pages | |
| EP2411913B1 (en) | Method and system for identifying suspected phishing websites | |
| CN109067813B (en) | Network vulnerability detection method and device, storage medium and computer equipment | |
| US20070101423A1 (en) | Fraudulent message detection | |
| US20080028444A1 (en) | Secure web site authentication using web site characteristics, secure user credentials and private browser | |
| US20110055922A1 (en) | Method for Detecting and Blocking Phishing Attacks | |
| Kang et al. | Advanced white list approach for preventing access to phishing sites | |
| US11765171B2 (en) | Monitoring security configurations of cloud-based services | |
| Osuagwu et al. | Mitigating social engineering for improved cybersecurity | |
| CN110865774B (en) | Information security detection method and device for printing equipment | |
| CN116319089B (en) | Dynamic weak password detection method, device, computer equipment and medium | |
| JP2007156690A (en) | Method for taking countermeasure to fishing fraud, terminal, server and program | |
| EP2137939B1 (en) | Network security method | |
| Saračević et al. | Some specific examples of attacks on information systems and smart cities applications | |
| Rousmaniere et al. | Internet security for clinical supervisors | |
| US11757816B1 (en) | Systems and methods for detecting scam emails | |
| CN114268475A (en) | Malicious script intercepting method, system, server and computer readable storage medium | |
| WO2017206251A1 (en) | Method and device for freezing application | |
| CN115603924A (en) | Detection method and device for phishing mails, electronic equipment and storage medium | |
| El-Din et al. | The human factor in mobile phishing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |