On 25-6-2018 12:26, Dimitry Sibiryakov wrote:
25.06.2018 12:22, Alex Peshkoff via Firebird-devel wrote:
This attack does not depend on plugin name knowledge.
If one is using legacy plugin no need to try >8 chars passwords.
This is prevented by timeout after 3 unsuccessful logins. You may
start completely block account after that instead.
That is a security anti-pattern, as that would allow you to simply
execute a denial-of-service attack blocking a valid user by failing
authentication a few times. Back-off/timeout or IP-based rate-limiting
are better solutions.
Mark
--
Mark Rotteveel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
