Skip site navigation (1) Skip section navigation (2)

Re: brute force attacking the password

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Wim Bertels <wim(dot)bertels(at)khleuven(dot)be>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: brute force attacking the password
Date: 2005-04-19 20:37:27
Message-ID: 20050419203727.GA18200@wolff.to (view raw or flat)
Thread:
Lists: pgsql-admin
On Tue, Apr 19, 2005 at 17:00:15 +0200,
  Wim Bertels <wim(dot)bertels(at)khleuven(dot)be> wrote:
> >Can't people use PAM to get this effect if they want it?
> 
> what if u use pam with ldap, then u can use pg brute force cracking to 
> obtain the ldap password, which is probably a bigger problem

You don't have to use it with LDAP. It does provide some password controls,
that should slow things down a little. However, you are going to have a
tough time preventing password guessing without making denial of service
attacks easy.

> 
> >For most people password guessing isn't going to be a big problem as
> >the database won't be accessible from totally untrusted places and watching
> >the log files for guessing will probably be a good enough solution.
> 
> what if u do want the database to be globally accessible..

Then you have a much more difficult situation. One option is to bind
user names to specific allowed IP addresses.

In response to

Responses

pgsql-admin by date

Next:From: Alvaro HerreraDate: 2005-04-19 20:46:14
Subject: Re:
Previous:From: Zuoxin.WangDate: 2005-04-19 20:27:09
Subject:

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group