Switchboard

Why does password failure cause a big delay?

Asked by Veiokej

Whenever I enter my password wrongly upon login, there's a big delay. Part of this is for the annoying head-shaking ("no") animation. (Why can't it just flash "try again" or "X" or something?) But this issue is above and beyond that.

I hope the reason is not that we're trying to slow down the rate at which an attacker can try passwords. That would amount to hopelessly trying to protect people with weak passwords, at the expense of enormous amounts of wasted time for the rest of us.

If there's some other reason, please inform.

Latency sucks.

Question information

Language:
English Edit question
Status:
Solved
For:
Switchboard Edit question
Assignee:
No assignee Edit question
Solved by:
Veiokej
Solved:
Last query:
Last reply:
Revision history for this message
Marvin Beckers (embik) said : 		#1

The delay (or at least the concept of a delay in this context) is standard (and expected) behaviour within the Linux ecosystem. You pointed out the exact reason for this: Preventing "password trying" (or brute-forcing) your way into an account. To prevent some automated mechanism (e.g. a device hooked to the computer which guesses passwords) there needs to be a significant delay. Even a short span added results in a much longer time period needed to retrieve a password.

You might be annoyed by this, but this is a security issue - User experience has to take a step back for the system's safety. Linux aims not only for securing the "smart kids" with "secure" (you never know this by the way; if your password is in a list for a dictionary attack, it might be guessed fast although it's long), but for everyone. That's the deal.

My simple proposal to get rid of this is: Type in your password correctly. You're doing something wrong and the system "punishes" you because it is not possible to distinguish you from an attacker.

Revision history for this message
Marvin Beckers (embik) said : 		#2

With "secure" passwords, of course. Sorry for missing a word. (grml launchpad let me edit my answer)

Revision history for this message
Veiokej (veiokej) said : 		#3

I think your explanation is accurate, but...

So the delay roughly doubles the time it takes to enter passwords in succession. That adds one bit, in effect, to the complexity of a given password. So we're wasting however many zillions of man-hours globally in order to add one bit to everyone's password.

Yeah, I can make sure to type it perfectly every time, but like anyone else, this slows me down. Statistically, I get maximum throughput at maybe 80% of maximum typing speed, not 50%.

If your password is so weak that adding one bit makes a significant difference, you have bigger problems.

This sounds petty, but multiplied by the number of failures per second globally, it's a titanic productivity drain.

Revision history for this message
Marvin Beckers (embik) said : 		#4

It looks like you think this is a "negotiable" issue. It's not. We don't discuss security measures taken by various system packages, decided by developers way above our security knowledge (us being you and me both here). I explained to you why it is the way it is. In my humble opinion, you're vastly overstating the "productivity drain".

You are "slowed down" because you cannot be bothered by typing in your password correctly. That's no valid issue. Take the few seconds more to type it in the right way. If you cannot spare these few seconds, your time management is seriously flawed. As said, you're penalized because you're doing something wrong. That's it. I doubt projects like LightDM (and everything more "core-y") will change, and that's for good reason. I doubt we won't either.

Revision history for this message
Veiokej (veiokej) said : 		#5

If this is truly nonnegotiable, then I give up.