From: Jeff Davis on
On Mon, 2009-09-28 at 15:52 -0700, Josh Berkus wrote:
> > It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> > of up to 8 chars in length.
>
> That would be a reason to limit the number of failed connection attempts
> from a single source, then, rather than a reason to change the hash
> function.

That doesn't solve the problem of an administrator brute-forcing your password.

Regards,
Jeff Davis


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Andrew Dunstan on


Jeff Davis wrote:
> On Mon, 2009-09-28 at 15:52 -0700, Josh Berkus wrote:
>
>>> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
>>> of up to 8 chars in length.
>>>
>> That would be a reason to limit the number of failed connection attempts
>> from a single source, then, rather than a reason to change the hash
>> function.
>>
>
> That doesn't solve the problem of an administrator brute-forcing your password.
>
>
>
>

Indeed. These brute force checkers aren't checking them by actually
trying the connection.

cheers

andrew

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Josh Berkus <josh(a)agliodbs.com> writes:
> Hmmm, that would be a useful, easy (I think) security feature: add a GUC
> for failed_logins_allowed.

And the counts would be tracked and enforced where?

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
marcin mank <marcin.mank(a)gmail.com> writes:
>> The case that ENCRYPTED
>> protects against is database superusers finding out other users'
>> original passwords, which is a security issue to the extent that those
>> users have used the same/similar passwords for other systems.

> I just want to note that md5 is not much of a protection against this
> case these days. Take a look at this:
> http://www.golubev.com/hashgpu.htm

> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> of up to 8 chars in length.

Yeah, but that will find you a password that hashes to the same thing.
Not necessarily the same password. It'll get you into the Postgres
DB just fine, which you don't care about because you're already a
superuser there. It won't necessarily get you into the assumed
third-party systems.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: "Albe Laurenz" on
Tom Lane wrote:
> > pgAdmin MD5's the passwords if you use the GUI to change them, or when
> > add a user. It doesn't make any attempt to parse the SQL if you enter
> > it yourself in the query tool though (nor is it going to).
>
> No, I wouldn't expect it to go that far. My point is just that
> pre-MD5'd passwords are a lot commoner than Albe seems to think.

Point taken.

I thought about it some more, and I think that a password checking
hook might still be somewhat useful even for MD5-encrypted passwords;
the function could guess and exclude at least that dreadful
all-too-frequent case of username = password.

Yours,
Laurenz Albe

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers