Security – Why is There a Delay After Entering a Wrong Password?

authenticationpampasswordSecurity

I notice a weird (well, according to me) thing about passwords. For example, if I type an incorrect password during login, there will be a few seconds' delay before the system tells me so. When I try to sudo with a wrong password I would also have to wait before the shell says "Sorry, try again".

I wonder why it takes so long to "recognize" an incorrect password? This has been seen on several distributions I use (and even OSX), so I think it's not a distribution specific thing.

Best Answer

This is a security thing, it's not actually taking long to realize it. 2 vulnerabilities this solves:

this throttles login attempts, meaning someone can't pound the system as fast as it can go trying to crack it (1M attempts a sec? I don't know).
If it did it as soon as it verified your credentials were incorrect, you could use the amount of time it took for it to invalidate your credentials to help guess if part of your credentials were correct, dramatically reducing the guessing time.

to prevent these 2 things the system just takes a certain amount of time to do it, I think you can configure the wait time with PAM ( See Michaels answer ).

Security Engineering ( 2ed, amazon | 1ed, free ) gives a much better explanation of these problems.

Related Solutions

Login – Changing Delay After Incorrect Password Entry

I assume you are using Linux and pam. The delay is probably caused by pam_faildelay.so. Check your pam configuration in /etc/pam.d using pam_faildelay, e.g:

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

To change the time adjust the delay parameter. If you want to get rid of the delay you can delete/comment the complete line.

Another source for the delay may be pam_unix.so. To disable the delay caused by pam_unix.so add the nodelay parameter, and optionally add a line calling pam_faildelay.so to add a (variable) delay instead, e.g.:

auth       optional   pam_faildelay.so  delay=100000

Why user and root passwords cannot be empty on Linux

You can have users without passwords. It's just a very frowned upon practice.
The low level tools like passwd support it (passwd -d to make a password empty). But the high level friendly tools that are provided by the distribution are generally what don't allow it.

Best Answer

Related Solutions

Login – Changing Delay After Incorrect Password Entry

Why user and root passwords cannot be empty on Linux

Related Question