Re: PostgreSQL Password Cracker

Oliver Elphick wrote:
> On Tue, 2002-12-31 at 17:49, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > Devrim GUNDUZ <devrim(at)tr(dot)net> writes:
> > > > Some guys from Turkey claim that they have a code to crack PostgreSQL
> > > > passwords, defined in pg_hba.conf .
> > >
> > > > http://www.core.gen.tr/pgcrack/
> > >
> > > This is not a cracker, this is just a brute-force "try all possible
> > > passwords" search program (and a pretty simplistic one at that).
> > > I'd say all this proves is the importance of choosing a good password.
> > > Using only lowercase letters is a *bad* idea, especially if you're only
> > > going to use five of 'em...
> >
> > Yea, that was my reaction too. Hard to see how we can guard against
> > this.
>
> Keep a table of usernames used in connection attempts that failed
> because of a bad password. After 2 such failures, add 1 second sleep
> for each successive failure before responding to the next attempt for
> the same username. Max it at say 60 seconds. That should make brute
> force cracking unfeasible unless someone gets very lucky or the password
> is particularly weak.

The problem is that our MD5 algorithm is open source, so they are doing
the checks in C looking for a match, not by sending the string to the
server.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073