From: Peter Eisentraut on
On Mon, 2009-09-28 at 15:59 -0700, Joshua D. Drake wrote:
> On Mon, 2009-09-28 at 15:52 -0700, Josh Berkus wrote:
> > > It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> > > of up to 8 chars in length.
> >
> > That would be a reason to limit the number of failed connection attempts
> > from a single source, then, rather than a reason to change the hash
> > function.
> >
> > Hmmm, that would be a useful, easy (I think) security feature: add a GUC
> > for failed_logins_allowed.
>
> Why a GUC, can't we just use ALTER ROLE (or ALTER DATABASE)?

If you make it a GUC, you get those for free. (That's what the "U"
means.)



--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Gurjeet Singh on
On Tue, Sep 29, 2009 at 4:49 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:

> Josh Berkus <josh(a)agliodbs.com> writes:
> > Hmmm, that would be a useful, easy (I think) security feature: add a GUC
> > for failed_logins_allowed.
>
> And the counts would be tracked and enforced where?
>
>
Combining this with other suggestion:

..) Provide a GUC failed_logins_allowed
..) Add MAX FAILED LOGINS option to ADD/ALTER USER, which defaults to the GUC
if not provided in the command.
..) Track per-user failed attempt counts in shared catalog, and reset on a
successful login.

Best regards,
--
Lets call it Postgres

EnterpriseDB http://www.enterprisedb.com

gurjeet[.singh]@EnterpriseDB.com

singh.gurjeet@{ gmail | hotmail | indiatimes | yahoo }.com
Twitter: singh_gurjeet
Skype: singh_gurjeet

Mail sent from my BlackLaptop device
From: Tom Lane on
"Albe Laurenz" <laurenz.albe(a)wien.gv.at> writes:
> I thought about it some more, and I think that a password checking
> hook might still be somewhat useful even for MD5-encrypted passwords;
> the function could guess and exclude at least that dreadful
> all-too-frequent case of username = password.

True. You could probably even run through a moderate-size dictionary
of weak passwords, depending on how long you're willing to make the
user wait. (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
On Tue, Sep 29, 2009 at 9:48 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
> "Albe Laurenz" <laurenz.albe(a)wien.gv.at> writes:
>> I thought about it some more, and I think that a password checking
>> hook might still be somewhat useful even for MD5-encrypted passwords;
>> the function could guess and exclude at least that dreadful
>> all-too-frequent case of username = password.
>
> True.  You could probably even run through a moderate-size dictionary
> of weak passwords, depending on how long you're willing to make the
> user wait.  (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))

But how much value is there in that? This whole thing seems like a
dead end to me. No matter how long you're willing to wait, putting
the checking on the client side will let you far more validation for
the same price.

....Robert

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Andrew Dunstan on


Robert Haas wrote:
> On Tue, Sep 29, 2009 at 9:48 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
>
>> "Albe Laurenz" <laurenz.albe(a)wien.gv.at> writes:
>>
>>> I thought about it some more, and I think that a password checking
>>> hook might still be somewhat useful even for MD5-encrypted passwords;
>>> the function could guess and exclude at least that dreadful
>>> all-too-frequent case of username = password.
>>>
>> True. You could probably even run through a moderate-size dictionary
>> of weak passwords, depending on how long you're willing to make the
>> user wait. (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))
>>
>
> But how much value is there in that? This whole thing seems like a
> dead end to me. No matter how long you're willing to wait, putting
> the checking on the client side will let you far more validation for
> the same price.
>
>
>

Why do we need to answer that question? If all we do is provide a hook,
the cost is very low, and the decision on value is left to whoever is
deploying some module to use the hook. And it will let people possibly
implement some password security policy dictated by some PHB, and so
check off a box on a form somewhere. Frankly, real security requires
that you pretty much get out of the password game, but passwords will
undoubtedly be around for a long time, since people will always trade
security for convenience.

cheers

andrew

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers