On Tue, 2002-12-31 at 17:49, Bruce Momjian wrote: > Tom Lane wrote: > > Devrim GUNDUZ <[EMAIL PROTECTED]> writes: > > > Some guys from Turkey claim that they have a code to crack PostgreSQL > > > passwords, defined in pg_hba.conf . > > > > > http://www.core.gen.tr/pgcrack/ > > > > This is not a cracker, this is just a brute-force "try all possible > > passwords" search program (and a pretty simplistic one at that). > > I'd say all this proves is the importance of choosing a good password. > > Using only lowercase letters is a *bad* idea, especially if you're only > > going to use five of 'em... > > Yea, that was my reaction too. Hard to see how we can guard against > this.
Keep a table of usernames used in connection attempts that failed because of a bad password. After 2 such failures, add 1 second sleep for each successive failure before responding to the next attempt for the same username. Max it at say 60 seconds. That should make brute force cracking unfeasible unless someone gets very lucky or the password is particularly weak. Zero the entry for a username as soon as there is a good connection. Is it worth doing? -- Oliver Elphick [EMAIL PROTECTED] Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "Ye have heard that it hath been said, Thou shalt love thy neighbour, and hate thine enemy. But I say unto you, Love your enemies, bless them that curse you, do good to them that hate you, and pray for them which despitefully use you, and persecute you;" Matthew 5:43,44 ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly