Mark,
> I read Josh's original suggestion to eventually evolve to "if a
> particular user account from a particular IP address uses the wrong
> password more than N times in T minutes, than the IP address is locked
> out for U minutes." This is the *only* way of significantly reducing the
> ability of a client to guess the password using "brute force".
As pointed out by others, that was a false assertion. Most
sophisticated attackers sniff the MD5 password over the network or by
other means, and then brute force match it without trying to connect to
the DB.
--
Josh Berkus
PostgreSQL Experts Inc.
www.pgexperts.com