| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Dawid Kuroczko <qnex42(at)gmail(dot)com> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: brute force attacking the password |
| Date: | 2005-04-18 21:39:11 |
| Message-ID: | 26103.1113860351@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Dawid Kuroczko <qnex42(at)gmail(dot)com> writes:
> Anyway, a simple 'sleep 2 seconds before telling that password
> was wrong' would be a good addition anyhow.
Seems pretty useless, unless we change things to also delay 2 seconds
before telling the password was good, which I doubt anyone will like ;-)
Otherwise, the attacker can simply abandon each connection after say
50 msec, or whatever the expected success time is. He need not wait
until the postmaster drops the connection before launching another
attempt.
(No, I wouldn't like to stop that by putting a throttle on allowed
connection rates, either ...)
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Garris, Nicole | 2005-04-18 21:51:16 | FW: Admin Tool to Send Me Email |
| Previous Message | Steve Garcia | 2005-04-18 21:32:15 | Re: I: file system backup of postgresql db onto another installation |