Re: Rejecting weak passwords

On 09/29/2009 12:54 PM, Josh Berkus wrote:
>> I read Josh's original suggestion to eventually evolve to "if a
>> particular user account from a particular IP address uses the wrong
>> password more than N times in T minutes, than the IP address is locked
>> out for U minutes." This is the *only* way of significantly reducing the
>> ability of a client to guess the password using "brute force".
>>
> As pointed out by others, that was a false assertion. Most
> sophisticated attackers sniff the MD5 password over the network or by
> other means, and then brute force match it without trying to connect to
> the DB.
>

I don't know about most. Sniffing requires an inside track. I cannot
sniff your network traffic from my notebook in Ottawa. Somebody so
inclined would have to first break into your network to see the password
you are sending. Then, if they can sniff your traffic, they can do all
sorts of other things. It's a bit of a wash in the grand scheme of things.

In practice, for the last decade, I have seen peaks of tens of thousands
of attempts a day to brute force into my machine from the Internet from
locations all over the world. It is not limited to telnet or SSH either
- they come in on IMAP ports, VNC ports, SMB ports, or anything else
that is widely used and exposed. Brute forcing through remote login is a
well used method of cracking. Still, their ability to guess is limited
by network capacity and network latency. So, it is on the order of
thousands, not millions, and basic password precautions such as "don't
use a word" are still quite effective.

I don't think knowing the MD5 is an attack on its own. It might be a
component in an escalation vector whereby the first get access to one
resource, and then sniff the MD5 or see it in the backend database
storage, to break into another resource. In any case - if they get the
MD5, PostgreSQL is already compromised, and the next attack is more
likely to affect something else - not PostgreSQL itself.

Within our company, the crypt() passwords are available to all employees
via NIS. Technically, this is a problem - but in practice, how much
effort is this worth resolving? If they can get onto our network to get
access to the crypt() password, they probably already have access to
other intellectual property.

Mostly - I'm saying that PostgreSQL using MD5 is a minor issue -
switching to SHA-1 is not going to eliminate the problem, it will just
make things a tiny bit harder for a would be attacker. To actually close
the window, as opposed to push it closed a little tighter, would take a
lot more effort.

Cheers,
mark

--
Mark Mielke<mark(at)mielke(dot)cc>