Re: Rejecting weak passwords
Josh Berkus <josh@agliodbs.com>
From: Josh Berkus <josh@agliodbs.com>
To: pgsql-hackers@postgresql.org
Date: 2009-09-29T16:54:24Z
Lists: pgsql-hackers
Mark, > I read Josh's original suggestion to eventually evolve to "if a > particular user account from a particular IP address uses the wrong > password more than N times in T minutes, than the IP address is locked > out for U minutes." This is the *only* way of significantly reducing the > ability of a client to guess the password using "brute force". As pointed out by others, that was a false assertion. Most sophisticated attackers sniff the MD5 password over the network or by other means, and then brute force match it without trying to connect to the DB. -- Josh Berkus PostgreSQL Experts Inc. www.pgexperts.com