Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tMCCf-002YfE-Sr
	for pgsql-general@arkaria.postgresql.org; Fri, 13 Dec 2024 20:24:01 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tMCCc-00Bvfj-Hd
	for pgsql-general@arkaria.postgresql.org; Fri, 13 Dec 2024 20:23:59 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <hjp-pgsql@hjp.at>)
	id 1tMCCc-00Bvfa-5s
	for pgsql-general@lists.postgresql.org; Fri, 13 Dec 2024 20:23:59 +0000
Received: from mail.hjp.at ([212.17.106.138] helo=rorschach.hjp.at)
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <hjp-pgsql@hjp.at>)
	id 1tMCCV-002gH0-Nf
	for pgsql-general@lists.postgresql.org; Fri, 13 Dec 2024 20:23:58 +0000
Received: by rorschach.hjp.at (Postfix, from userid 1000)
	id 5A3D147DA4; Fri, 13 Dec 2024 21:23:48 +0100 (CET)
Date: Fri, 13 Dec 2024 21:23:48 +0100
From: "Peter J. Holzer" <hjp-pgsql@hjp.at>
To: pgsql-general@lists.postgresql.org
Subject: Re: Credcheck- credcheck.max_auth_failure
Message-ID: <20241213202348.jtchbb2lezbx2re6@hjp.at>
Mail-Followup-To: pgsql-general@lists.postgresql.org
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
 <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
 <CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="adgqe6kdrqxdbq6k"
Content-Disposition: inline
In-Reply-To: <CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/20241213202348.jtchbb2lezbx2re6%40hjp.at>
Precedence: bulk


--adgqe6kdrqxdbq6k
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2024-12-11 13:43:38 -0500, Ron Johnson wrote:
> On Wed, Dec 11, 2024 at 12:57=E2=80=AFPM Greg Sabino Mullane <htamfids@gm=
ail.com>
> wrote:
>=20
>     On Wed, Dec 11, 2024 at 5:46=E2=80=AFAM =E5=BC=B5=E5=AE=B8=E7=91=8B <=
kenny020307@gmail.com> wrote:
>=20
>         In the use of the Credcheck suite, the parameter
>         "credcheck.max_auth_failure =3D '3'" is set in the postgresql.con=
f file
>         to limit users from entering incorrect passwords more than three =
times,
>         after which their account will be locked.
>=20
>=20
>     Won't that allow absolutely anyone to lock out anyone else, including
>     admins/superusers? Sounds like a bad idea to me.
>=20
>=20
> Isn't this a pretty common password setting?

Yes, but that doesn't mean it's a good idea.

Actually, let me tease that apart a bit.

It is very common for the setting to exist (probably just about any OS
and many applications, too), but much less common for it to be turned on.

There are good reasons for that.

Limiting the number of failed attempts makes a lot of sense for debit
cards: The PINs are short enough that a person could bruteforce all
combinations and that typos are uncommon. So multiple failed attempts
probably mean that the card was stolen. There is also no way to DOS
somebody, since you need the card before you can enter the PIN.

It may have made a bit of sense in the 1980s, when most people had short
and easily guessable passwords and hosts were typically only accessible
=66rom directly connected terminals and not from the internet.

But it really doesn't make much sense now: Passwords should be so long
that brute-forcing them via login attempts is completely futile. Either
the attacker knows the password (then the limit doesn't help), or they
won't guess it in a million attempts (so the limit doesn't help either).
OTOH, the limit gives an attacker a very simple way to deny the service to
the legitimate used: Just enter a bogus password three times and boom -
account locked. (That threat can be mitigated by applying the limit per
IP address - but the attacker may have a botnet with a million nodes,
making the limit ineffective.)

        hp

--=20
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"

--adgqe6kdrqxdbq6k
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETtJbRjyPwVTYGJ5k8g5IURL+KF0FAmdcl80ACgkQ8g5IURL+
KF09RA//TISHSpb5g7EZcZwdhd9rOghvF/qHkpsfgFjszC60Lwl3TU50TR0EDzF4
4SOuRMFPNZa6FL47cbYb+lPiLb1yqcEwebayZn5IwbcfU2qqrT3lFdNW5U6ZY4Vm
Fv/Lp1zcRXeRDPoVPTcpLMvQNkggmHuX1szv+6Jrwd3vW0GGj+gywWlAbF3/qZOn
yAJBgox8F+D5ZDVCJ46l3oiqt+D1gQW6PgCO2lgGe75GWA5gt+ZAXMQIbnQHhiwZ
qYqZ52vFVFa79Na2Jb8cj7dPOw1Tt/berE47YXQLF6NXkftoWVx2jJmgm8tpu+n7
q0amvgAXlye+n7P26Q4msJrEwcvGFC974fcvNuf3ksDTVWVj0z4QGAmNCqh3W2Yj
bEKd+7hz4R8bVVs6jp2aqPxwvBBp/LrglcLYFmFQZUeOdfximbeSMUNIFJi710UD
2S0kFlwSYUZLqaUmK3HsVPb0DpxBevV8k3HBI1jQr1WoTPkQ/3YsUFk77gglo5UP
yE6XbCwbNw6X8dmEzKoPEi061Tq7PJB3x+4ajQRwTfjFg8D7zpKempt5M6s32qAe
hrSsncNxNJnSoDhMivKjZwK3P+0rj2l/4H3CtutkA024TcjqS1rEF8jpHiUCAdEx
pnDCVhJrZNzF8YnidSyYRRycBPHnm/DsDDNqxxlvZJVLamQDvcY=
=j0W6
-----END PGP SIGNATURE-----

--adgqe6kdrqxdbq6k--