From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Oliver Elphick <olly(at)lfix(dot)co(dot)uk> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Devrim GUNDUZ <devrim(at)tr(dot)net>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: PostgreSQL Password Cracker |
Date: | 2002-12-31 19:26:09 |
Message-ID: | 200212311926.gBVJQ9Z01829@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Oliver Elphick wrote:
> On Tue, 2002-12-31 at 17:49, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > Devrim GUNDUZ <devrim(at)tr(dot)net> writes:
> > > > Some guys from Turkey claim that they have a code to crack PostgreSQL
> > > > passwords, defined in pg_hba.conf .
> > >
> > > > http://www.core.gen.tr/pgcrack/
> > >
> > > This is not a cracker, this is just a brute-force "try all possible
> > > passwords" search program (and a pretty simplistic one at that).
> > > I'd say all this proves is the importance of choosing a good password.
> > > Using only lowercase letters is a *bad* idea, especially if you're only
> > > going to use five of 'em...
> >
> > Yea, that was my reaction too. Hard to see how we can guard against
> > this.
>
> Keep a table of usernames used in connection attempts that failed
> because of a bad password. After 2 such failures, add 1 second sleep
> for each successive failure before responding to the next attempt for
> the same username. Max it at say 60 seconds. That should make brute
> force cracking unfeasible unless someone gets very lucky or the password
> is particularly weak.
The problem is that our MD5 algorithm is open source, so they are doing
the checks in C looking for a match, not by sending the string to the
server.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2003-01-01 18:41:16 | Bug in pg_get_constraintdef (for deferrable constraints) |
Previous Message | Oliver Elphick | 2002-12-31 19:17:46 | Re: PostgreSQL Password Cracker |