Re: Rejecting weak passwords
| От | Josh Berkus |
|---|---|
| Тема | Re: Rejecting weak passwords |
| Дата | |
| Msg-id | 4AC23BC0.1070708@agliodbs.com обсуждение исходный текст |
| Ответ на | Re: Rejecting weak passwords (Mark Mielke <mark@mark.mielke.cc>) |
| Ответы |
Re: Rejecting weak passwords
|
| Список | pgsql-hackers |
Mark, > I read Josh's original suggestion to eventually evolve to "if a > particular user account from a particular IP address uses the wrong > password more than N times in T minutes, than the IP address is locked > out for U minutes." This is the *only* way of significantly reducing the > ability of a client to guess the password using "brute force". As pointed out by others, that was a false assertion. Most sophisticated attackers sniff the MD5 password over the network or by other means, and then brute force match it without trying to connect to the DB. -- Josh Berkus PostgreSQL Experts Inc. www.pgexperts.com
В списке pgsql-hackers по дате отправления: