Dawid Kuroczko <qnex42@gmail.com> writes:
> Anyway, a simple 'sleep 2 seconds before telling that password
> was wrong' would be a good addition anyhow.
Seems pretty useless, unless we change things to also delay 2 seconds
before telling the password was good, which I doubt anyone will like ;-)
Otherwise, the attacker can simply abandon each connection after say
50 msec, or whatever the expected success time is. He need not wait
until the postmaster drops the connection before launching another
attempt.
(No, I wouldn't like to stop that by putting a throttle on allowed
connection rates, either ...)
regards, tom lane