> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> of up to 8 chars in length.
That would be a reason to limit the number of failed connection attempts
from a single source, then, rather than a reason to change the hash
function.
Hmmm, that would be a useful, easy (I think) security feature: add a GUC
for failed_logins_allowed.
--
Josh Berkus
PostgreSQL Experts Inc.
www.pgexperts.com