On 7/15/09, David Wilson <david.t.wil...@gmail.com> wrote: > On Wed, Jul 15, 2009 at 11:10 AM, Marko Kreen<mark...@gmail.com> wrote: > > From security standpoint, wasting more cycles on bad passwords is good, > > as it decreases the rate bruteforce password scanning can happen. > > > > And I cannot imagine a scenario where performance on invalid logins > > can be relevant.. > > > DoS attacks. The longer it takes to reject an invalid login, the fewer > invalid login attempts it takes to DoS the server.
No, this is not a good argument against it. Especially if you consider that DoS via hanging-connect or SSL is still there. Compared to minor DoS, the password-leakage is much worse danger. -- marko -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
