Skip site navigation (1) Skip section navigation (2)

Re: brute force attacking the password

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Dawid Kuroczko <qnex42(at)gmail(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: brute force attacking the password
Date: 2005-04-18 21:39:11
Message-ID: 26103.1113860351@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-admin
Dawid Kuroczko <qnex42(at)gmail(dot)com> writes:
> Anyway, a simple 'sleep 2 seconds before telling that password
> was wrong' would be a good addition anyhow.

Seems pretty useless, unless we change things to also delay 2 seconds
before telling the password was good, which I doubt anyone will like ;-)
Otherwise, the attacker can simply abandon each connection after say
50 msec, or whatever the expected success time is.  He need not wait
until the postmaster drops the connection before launching another
attempt.

(No, I wouldn't like to stop that by putting a throttle on allowed
connection rates, either ...)

			regards, tom lane

In response to

pgsql-admin by date

Next:From: Garris, NicoleDate: 2005-04-18 21:51:16
Subject: FW: Admin Tool to Send Me Email
Previous:From: Steve GarciaDate: 2005-04-18 21:32:15
Subject: Re: I: file system backup of postgresql db onto another installation

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group