From: | Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Weak passwords and brute force attacks |
Date: | 2006-12-08 02:18:02 |
Message-ID: | Pine.LNX.4.58.0612081312320.28992@linuxworld.com.au |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, 5 Dec 2006, Tom Lane wrote:
> Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> writes:
> > .... Instead, what we do is add up the different
> > character types (lower, upper, digits, etc) and for each character type
> > missing, we reduce the hypothetical password length: the theory being that
> > the longer the password, the harder to guess.
>
> Where did you get this design for a password strength checker?
> It doesn't sound like it has much to do with the algorithms commonly
> used for such things.
I'm not sure what's commonly done but I read it on some slides about PAM.
I looked at what PAM does just now. It does do something close to what I
did -- but with more configuration capabilities -- and checks for
palindromes and similarity when changing a password.
>
> > Now, in the presence of encrypted passwords being sent across the wire, we
> > can't do anything. So, we export the password strength tester to libpq.
>
> As already noted, that seems approximately useless.
I figured it might be useful for applications like pgadmin which wanted to
send the password encrypted on the wire but wanted to test of its
strength.
> > The second mechanism is the delay on authentication failure. The problem
> > here is that a distributed application could attempt to brute force guess
> > a password for a role. This could be fairly effective on a high speed LAN.
> > So, the usual approach is to delay sending the failure message to the
> > client for some period of time (specified in the patch by
> > auth_failure_delay) to slow the progress of the password guesser.
>
> This is a waste of effort, unless you propose to put the delay into both
> the success and failure paths, which hardly seems acceptable. Otherwise
> a guesser need only abandon the connection attempt after X microseconds
> and try another password.
>
That doesn't seem to be what PAM does, at leasts in the default config.
What they do do is to sleep for a random period between no sleep and the
threshold, so that the attacker cannot guess the appropriate time to wait
before hanging up.
Thanks,
Gavin
From | Date | Subject | |
---|---|---|---|
Next Message | zhang Jackie | 2006-12-08 02:39:08 | about PostgreSQL Benchmak( pgbench ) |
Previous Message | Gavin Sherry | 2006-12-08 02:12:21 | Re: Weak passwords and brute force attacks |