Re: Rejecting weak passwords
| От | Mark Mielke |
|---|---|
| Тема | Re: Rejecting weak passwords |
| Дата | |
| Msg-id | 4AC258E4.1020606@mark.mielke.cc обсуждение исходный текст |
| Ответ на | Re: Rejecting weak passwords (Josh Berkus <josh@agliodbs.com>) |
| Список | pgsql-hackers |
On 09/29/2009 12:54 PM, Josh Berkus wrote: >> I read Josh's original suggestion to eventually evolve to "if a >> particular user account from a particular IP address uses the wrong >> password more than N times in T minutes, than the IP address is locked >> out for U minutes." This is the *only* way of significantly reducing the >> ability of a client to guess the password using "brute force". >> > As pointed out by others, that was a false assertion. Most > sophisticated attackers sniff the MD5 password over the network or by > other means, and then brute force match it without trying to connect to > the DB. > I don't know about most. Sniffing requires an inside track. I cannot sniff your network traffic from my notebook in Ottawa. Somebody so inclined would have to first break into your network to see the password you are sending. Then, if they can sniff your traffic, they can do all sorts of other things. It's a bit of a wash in the grand scheme of things. In practice, for the last decade, I have seen peaks of tens of thousands of attempts a day to brute force into my machine from the Internet from locations all over the world. It is not limited to telnet or SSH either - they come in on IMAP ports, VNC ports, SMB ports, or anything else that is widely used and exposed. Brute forcing through remote login is a well used method of cracking. Still, their ability to guess is limited by network capacity and network latency. So, it is on the order of thousands, not millions, and basic password precautions such as "don't use a word" are still quite effective. I don't think knowing the MD5 is an attack on its own. It might be a component in an escalation vector whereby the first get access to one resource, and then sniff the MD5 or see it in the backend database storage, to break into another resource. In any case - if they get the MD5, PostgreSQL is already compromised, and the next attack is more likely to affect something else - not PostgreSQL itself. Within our company, the crypt() passwords are available to all employees via NIS. Technically, this is a problem - but in practice, how much effort is this worth resolving? If they can get onto our network to get access to the crypt() password, they probably already have access to other intellectual property. Mostly - I'm saying that PostgreSQL using MD5 is a minor issue - switching to SHA-1 is not going to eliminate the problem, it will just make things a tiny bit harder for a would be attacker. To actually close the window, as opposed to push it closed a little tighter, would take a lot more effort. Cheers, mark -- Mark Mielke<mark@mielke.cc>
В списке pgsql-hackers по дате отправления: