Re: Locking out a user after several failed login attempts

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "mark" <dvlhntr(at)gmail(dot)com>
Cc: "'Jean-Yves F(dot) Barbier'" <12ukwn(at)gmail(dot)com>, "'Mike Thomsen'" <mikerthomsen(at)gmail(dot)com>, pgsql-novice(at)postgresql(dot)org
Subject: Re: Locking out a user after several failed login attempts
Date: 2011-07-01 22:51:34
Message-ID: 7068.1309560694@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-novice

"mark" <dvlhntr(at)gmail(dot)com> writes:
>> From: pgsql-novice-owner(at)postgresql(dot)org [mailto:pgsql-novice-
>> owner(at)postgresql(dot)org] On Behalf Of Jean-Yves F. Barbier
>> So, you just have to add a counter to your login table:

> That might be a ok on a small application with a limited number of users. A few thousand login attempts per min and you are probably going to wish the counter lived outside of your RDBMS.

Usually, when somebody asks for this or related security-policy hacks,
we suggest using PAM for authentication. There are already PAM modules
for practically any reasonable password policy, so why reinvent the
wheel ...

regards, tom lane

In response to

Browse pgsql-novice by date

  From Date Subject
Next Message Jaime Casanova 2011-07-04 15:11:54 Re: scheduling of index rebuild , analyze , etc...
Previous Message Richard Broersma 2011-07-01 13:28:09 Re: problem