Re: Rejecting weak passwords
Josh Berkus <josh@agliodbs.com>
From: Josh Berkus <josh@agliodbs.com>
To: marcin mank <marcin.mank@gmail.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Marko Kreen <markokr@gmail.com>, Albe Laurenz <laurenz.albe@wien.gv.at>, Andrew Dunstan <andrew@dunslane.net>, mlortiz@uci.cu, Magnus Hagander <magnus@hagander.net>, pgsql-hackers@postgresql.org
Date: 2009-09-28T22:52:56Z
Lists: pgsql-hackers
> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9] > of up to 8 chars in length. That would be a reason to limit the number of failed connection attempts from a single source, then, rather than a reason to change the hash function. Hmmm, that would be a useful, easy (I think) security feature: add a GUC for failed_logins_allowed. -- Josh Berkus PostgreSQL Experts Inc. www.pgexperts.com