Search Postgresql Archives

Re: Credcheck- credcheck.max_auth_failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-12-11 13:43:38 -0500, Ron Johnson wrote:
> On Wed, Dec 11, 2024 at 12:57 PM Greg Sabino Mullane <htamfids@xxxxxxxxx>
> wrote:
> 
>     On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <kenny020307@xxxxxxxxx> wrote:
> 
>         In the use of the Credcheck suite, the parameter
>         "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file
>         to limit users from entering incorrect passwords more than three times,
>         after which their account will be locked.
> 
> 
>     Won't that allow absolutely anyone to lock out anyone else, including
>     admins/superusers? Sounds like a bad idea to me.
> 
> 
> Isn't this a pretty common password setting?

Yes, but that doesn't mean it's a good idea.

Actually, let me tease that apart a bit.

It is very common for the setting to exist (probably just about any OS
and many applications, too), but much less common for it to be turned on.

There are good reasons for that.

Limiting the number of failed attempts makes a lot of sense for debit
cards: The PINs are short enough that a person could bruteforce all
combinations and that typos are uncommon. So multiple failed attempts
probably mean that the card was stolen. There is also no way to DOS
somebody, since you need the card before you can enter the PIN.

It may have made a bit of sense in the 1980s, when most people had short
and easily guessable passwords and hosts were typically only accessible
from directly connected terminals and not from the internet.

But it really doesn't make much sense now: Passwords should be so long
that brute-forcing them via login attempts is completely futile. Either
the attacker knows the password (then the limit doesn't help), or they
won't guess it in a million attempts (so the limit doesn't help either).
OTOH, the limit gives an attacker a very simple way to deny the service to
the legitimate used: Just enter a bogus password three times and boom -
account locked. (That threat can be mitigated by applying the limit per
IP address - but the attacker may have a botnet with a million nodes,
making the limit ineffective.)

        hp

-- 
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@xxxxxx         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux