Oliver Elphick wrote:
> On Tue, 2002-12-31 at 17:49, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > Devrim GUNDUZ <[EMAIL PROTECTED]> writes:
> > > > Some guys from Turkey claim that they have a code to crack PostgreSQL
> > > > passwords, defined in pg_hba.conf .
> > > 
> > > > http://www.core.gen.tr/pgcrack/
> > > 
> > > This is not a cracker, this is just a brute-force "try all possible
> > > passwords" search program (and a pretty simplistic one at that).
> > > I'd say all this proves is the importance of choosing a good password.
> > > Using only lowercase letters is a *bad* idea, especially if you're only
> > > going to use five of 'em...
> > 
> > Yea, that was my reaction too. Hard to see how we can guard against
> > this.
> 
> Keep a table of usernames used in connection attempts that failed
> because of a bad password.  After 2 such failures, add 1 second sleep
> for each successive failure before responding to the next attempt for
> the same username.  Max it at say 60 seconds.  That should make brute
> force cracking unfeasible unless someone gets very lucky or the password
> is particularly weak.

The problem is that our MD5 algorithm is open source, so they are doing
the checks in C looking for a match, not by sending the string to the
server.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  [EMAIL PROTECTED]               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Reply via email to