Re: Lock Postgres account after X number of failed logins? - Mailing list pgsql-general

From Magnus Hagander
Subject Re: Lock Postgres account after X number of failed logins?
Date
Msg-id CABUevExaMfO=gC-BpG0pvnQcwANCRHx6mHCHj86TcJU3jVqn0A@mail.gmail.com
Whole thread Raw
In response to Re: Lock Postgres account after X number of failed logins?  ("Peter J. Holzer" <hjp-pgsql@hjp.at>)
List pgsql-general


On Wed, May 6, 2020 at 5:26 PM Peter J. Holzer <hjp-pgsql@hjp.at> wrote:
On 2020-05-06 09:28:28 -0400, Stephen Frost wrote:
> LDAP-based authentication in PG involves passing the user's password to
> the database server in the clear (or tunneled through SSL, but that
> doesn't help if the DB is compromised), so it's really not a good
> solution.

Still a lot better than PostgreSQL's md5 scheme, which stores
password-equivalent hashes: If the database is compromised the attacker
has all hashes immediately and can use them to login. Intercepting
encrypted traffic even at the endpoint is much harder and can only
uncover passwords actually used.

If the database is compromised the attacker already has the data, though, so not as many needs to log in anymore.

But more to the point -- one should not use md5 in PostgreSQL these days, one should be using scram-sha-256 which does not have this problem (and has been around for a few years by now)., if using local database logins.

--

pgsql-general by date:

Previous
From: "Peter J. Holzer"
Date:
Subject: Re: Lock Postgres account after X number of failed logins?
Next
From: Ravi Krishna
Date:
Subject: Re: Abnormal Growth of Index Size - Index Size 3x large than tablesize.