Re: PostgreSQL Password Cracker

On Tue, 2002-12-31 at 17:49, Bruce Momjian wrote:
> Tom Lane wrote:
> > Devrim GUNDUZ <devrim@tr.net> writes:
> > > Some guys from Turkey claim that they have a code to crack PostgreSQL
> > > passwords, defined in pg_hba.conf .
> > 
> > > http://www.core.gen.tr/pgcrack/
> > 
> > This is not a cracker, this is just a brute-force "try all possible
> > passwords" search program (and a pretty simplistic one at that).
> > I'd say all this proves is the importance of choosing a good password.
> > Using only lowercase letters is a *bad* idea, especially if you're only
> > going to use five of 'em...
> 
> Yea, that was my reaction too. Hard to see how we can guard against
> this.

Keep a table of usernames used in connection attempts that failed
because of a bad password.  After 2 such failures, add 1 second sleep
for each successive failure before responding to the next attempt for
the same username.  Max it at say 60 seconds.  That should make brute
force cracking unfeasible unless someone gets very lucky or the password
is particularly weak.

Zero the entry for a username as soon as there is a good connection.

Is it worth doing?

-- 
Oliver Elphick                                Oliver.Elphick@lfix.co.uk
Isle of Wight, UK                             http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
========================================   "Ye have heard that it hath been said, Thou shalt love      thy neighbour,
andhate thine enemy. But I say unto      you, Love your enemies, bless them that curse you, do      good to them that
hateyou, and pray for them which      despitefully use you, and persecute you;"
    Matthew 5:43,44