Re: Rejecting weak passwords
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Jeff Davis <pgsql@j-davis.com>
Cc: Josh Berkus <josh@agliodbs.com>, marcin mank <marcin.mank@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Marko Kreen <markokr@gmail.com>, Albe Laurenz <laurenz.albe@wien.gv.at>, mlortiz@uci.cu, Magnus Hagander <magnus@hagander.net>, pgsql-hackers@postgresql.org
Date: 2009-09-28T23:10:13Z
Lists: pgsql-hackers
Jeff Davis wrote: > On Mon, 2009-09-28 at 15:52 -0700, Josh Berkus wrote: > >>> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9] >>> of up to 8 chars in length. >>> >> That would be a reason to limit the number of failed connection attempts >> from a single source, then, rather than a reason to change the hash >> function. >> > > That doesn't solve the problem of an administrator brute-forcing your password. > > > > Indeed. These brute force checkers aren't checking them by actually trying the connection. cheers andrew