Oliver Elphick wrote: > On Tue, 2002-12-31 at 17:49, Bruce Momjian wrote: > > Tom Lane wrote: > > > Devrim GUNDUZ <[EMAIL PROTECTED]> writes: > > > > Some guys from Turkey claim that they have a code to crack PostgreSQL > > > > passwords, defined in pg_hba.conf . > > > > > > > http://www.core.gen.tr/pgcrack/ > > > > > > This is not a cracker, this is just a brute-force "try all possible > > > passwords" search program (and a pretty simplistic one at that). > > > I'd say all this proves is the importance of choosing a good password. > > > Using only lowercase letters is a *bad* idea, especially if you're only > > > going to use five of 'em... > > > > Yea, that was my reaction too. Hard to see how we can guard against > > this. > > Keep a table of usernames used in connection attempts that failed > because of a bad password. After 2 such failures, add 1 second sleep > for each successive failure before responding to the next attempt for > the same username. Max it at say 60 seconds. That should make brute > force cracking unfeasible unless someone gets very lucky or the password > is particularly weak.
The problem is that our MD5 algorithm is open source, so they are doing the checks in C looking for a match, not by sending the string to the server. -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
