Skip site navigation (1) Skip section navigation (2)

Re: brute force attacking the password

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: "C(dot) Bensend" <benny(at)bennyvision(dot)com>, pgsql-admin(at)postgresql(dot)org
Subject: Re: brute force attacking the password
Date: 2005-04-19 11:23:04
Message-ID: 20050419112304.GB10314@wolff.to (view raw or flat)
Thread:
Lists: pgsql-admin
On Mon, Apr 18, 2005 at 16:55:45 -0400,
  Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> wrote:
> 
> I would like to pick something that matches what a typical Unix system
> does because I think the _fancy_ solutions actually cause weird problems
> like denial-of-service attacks by just trying to log in.
> 
> How do typical open source Unix's handle it?  It think they slow down
> prompting for a password --- but as I remember we only allow one
> password attempt per connection so that is already covered.

Can't people use PAM to get this effect if they want it?

For most people password guessing isn't going to be a big problem as
the database won't be accessible from totally untrusted places and watching
the log files for guessing will probably be a good enough solution.

In response to

pgsql-admin by date

Next:From: Wim BertelsDate: 2005-04-19 13:12:58
Subject: Re: brute force attacking the password
Previous:From: Nikhil PantDate: 2005-04-19 10:00:09
Subject: Installing PostGres

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group