Re: MD5 authentication needs help
| От | Greg Stark |
|---|---|
| Тема | Re: MD5 authentication needs help |
| Дата | |
| Msg-id | CAM-w4HPWhZmbFvX8xPNvLPckkhGWt0gHQjZGJ0J0ySCM_ok3Jw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: MD5 authentication needs help (Jim Nasby <Jim.Nasby@BlueTreble.com>) |
| Ответы |
Re: MD5 authentication needs help
|
| Список | pgsql-hackers |
<p dir="ltr">Locked accounts are a terrible terrible idea. All they do is hand attackers an easy DOS vulnerability. They'repure security theatre if your authentication isn't vulnerable to brute force attacks and an unreliable band-aid ifthey are.<p dir="ltr">Having dealt with mechanisms for locking accounts in other database they're much more complicatedthan they appear. You need to deal with different requirements for different users, have multiple knobs for howit triggers and resolves, have tools for auditing the connection attempts to determine if they're legitimate and identifywhere the incorrect attempts are coming from, and so on. And all that accomplishes in the best case scenario is havinglots of busy-work support requests responding to locked accounts and in the worst case scenario upgrading minor issuesinto major service outages.
В списке pgsql-hackers по дате отправления: