Re: brute force attacking the password

On Tuesday 19 April 2005 22:37, Bruno Wolff III seinde rooksignalen:
> On Tue, Apr 19, 2005 at 17:00:15 +0200,
>
> Wim Bertels <wim(dot)bertels(at)khleuven(dot)be> wrote:
> > >Can't people use PAM to get this effect if they want it?
> >
> > what if u use pam with ldap, then u can use pg brute force cracking to
> > obtain the ldap password, which is probably a bigger problem
>
> You don't have to use it with LDAP. It does provide some password controls,
> that should slow things down a little. However, you are going to have a
> tough time preventing password guessing without making denial of service
> attacks easy.

anayway, it makes sense to use ldap if one has several services over different
machines,..

>
> > >For most people password guessing isn't going to be a big problem as
> > >the database won't be accessible from totally untrusted places and
> > > watching the log files for guessing will probably be a good enough
> > > solution.
> >
> > what if u do want the database to be globally accessible..
>
> Then you have a much more difficult situation. One option is to bind
> user names to specific allowed IP addresses.

not a option, due to user requirements

not an easy problem: it always seems to end up in DoS vs Brute Force Cracking.
So the only good and simple solution i can think of: use the best possible
password encrytion (or sufficient, a statistically zero chance when trying as
much connections -to brute force crack the password- as possible for a
significant amount of time.)

--
Wim Bertels