Dawid Kuroczko <qnex42@xxxxxxxxx> writes: > Anyway, a simple 'sleep 2 seconds before telling that password > was wrong' would be a good addition anyhow. Seems pretty useless, unless we change things to also delay 2 seconds before telling the password was good, which I doubt anyone will like ;-) Otherwise, the attacker can simply abandon each connection after say 50 msec, or whatever the expected success time is. He need not wait until the postmaster drops the connection before launching another attempt. (No, I wouldn't like to stop that by putting a throttle on allowed connection rates, either ...) regards, tom lane
