On Tue, 5 Dec 2006, Tom Lane wrote:
> Gavin Sherry <swm@linuxworld.com.au> writes:
> > .... Instead, what we do is add up the different
> > character types (lower, upper, digits, etc) and for each character type
> > missing, we reduce the hypothetical password length: the theory being that
> > the longer the password, the harder to guess.
>
> Where did you get this design for a password strength checker?
> It doesn't sound like it has much to do with the algorithms commonly
> used for such things.
I'm not sure what's commonly done but I read it on some slides about PAM.
I looked at what PAM does just now. It does do something close to what I
did -- but with more configuration capabilities -- and checks for
palindromes and similarity when changing a password.
>
> > Now, in the presence of encrypted passwords being sent across the wire, we
> > can't do anything. So, we export the password strength tester to libpq.
>
> As already noted, that seems approximately useless.
I figured it might be useful for applications like pgadmin which wanted to
send the password encrypted on the wire but wanted to test of its
strength.
> > The second mechanism is the delay on authentication failure. The problem
> > here is that a distributed application could attempt to brute force guess
> > a password for a role. This could be fairly effective on a high speed LAN.
> > So, the usual approach is to delay sending the failure message to the
> > client for some period of time (specified in the patch by
> > auth_failure_delay) to slow the progress of the password guesser.
>
> This is a waste of effort, unless you propose to put the delay into both
> the success and failure paths, which hardly seems acceptable. Otherwise
> a guesser need only abandon the connection attempt after X microseconds
> and try another password.
>
That doesn't seem to be what PAM does, at leasts in the default config.
What they do do is to sleep for a random period between no sleep and the
threshold, so that the attacker cannot guess the appropriate time to wait
before hanging up.
Thanks,
Gavin