| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | "Peter J(dot) Holzer" <hjp-pgsql(at)hjp(dot)at> |
| Cc: | pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Lock Postgres account after X number of failed logins? |
| Date: | 2020-05-06 15:28:56 |
| Message-ID: | CABUevExaMfO=gC-BpG0pvnQcwANCRHx6mHCHj86TcJU3jVqn0A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, May 6, 2020 at 5:26 PM Peter J. Holzer <hjp-pgsql(at)hjp(dot)at> wrote:
> On 2020-05-06 09:28:28 -0400, Stephen Frost wrote:
> > LDAP-based authentication in PG involves passing the user's password to
> > the database server in the clear (or tunneled through SSL, but that
> > doesn't help if the DB is compromised), so it's really not a good
> > solution.
>
> Still a lot better than PostgreSQL's md5 scheme, which stores
> password-equivalent hashes: If the database is compromised the attacker
> has all hashes immediately and can use them to login. Intercepting
> encrypted traffic even at the endpoint is much harder and can only
> uncover passwords actually used.
>
If the database is compromised the attacker already has the data, though,
so not as many needs to log in anymore.
But more to the point -- one should not use md5 in PostgreSQL these days,
one should be using scram-sha-256 which does not have this problem (and has
been around for a few years by now)., if using local database logins.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ravi Krishna | 2020-05-06 15:37:24 | Re: Abnormal Growth of Index Size - Index Size 3x large than table size. |
| Previous Message | Peter J. Holzer | 2020-05-06 15:26:10 | Re: Lock Postgres account after X number of failed logins? |