6

When I log into my Ubuntu 8.10 box with a correct password the system figures out almost instantaneously that the password is correct and logs me in. However, if I supply an incorrect password, it takes significantly longer to figure out that the password is incorrect and to show me the login screen.

Why is this? Should it not take the same amount of time in both cases?

-- Thanks

jldugger
  • 14,342
  • 20
  • 77
  • 129
Parag
  • 219
  • 1
  • 7

4 Answers4

20

It's a security feature to slow down people who are trying to guess your password. It takes Ubuntu the same amount of time to see if it's correct or not, but then it waits for a few seconds before letting you try again.

Dentrasi
  • 3,752
  • 1
  • 24
  • 19
15

As Dentrasi has explained - this is to make it more difficult for the attacker to carry out a brute-force attack on the password store. In almost all circumstances, you don't to change this behavior.

If you have a good reason to (which I can't think of), you can modify it via /etc/login.defs - See the login.defs(5) man page.

FAIL_DELAY (number)
  Delay in seconds before being allowed another attempt after a login failure.

Hmmm... At the end of the manpage...

Much of the functionality that used to be provided by the shadow password suite
is now handled by PAM. Thus, /etc/login.defs is no longer used by passwd(1), or
less used by login(1), and su(1). Please refer to the corresponding PAM
configuration files instead.

The appropriate PAM entry instead...

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000
khosrow
  • 4,163
  • 3
  • 27
  • 33
2

pam.d takes care of FAIL_DELAY these days. Add this to /etc/pam.d/common-auth (for Debian / Ubuntu):

auth required pam_unix.so nodelay

Fedora / Redhat: add this to /etc/pam.d/system-auth:

auth required /lib/security/$ISA/pam_unix.so nodelay

$ISA is just used to select between 32-bit and 64-bit modules and is already defined.

Outdoor
  • 81
  • 2
1

Speaking of PAM, if a computer is set up for LDAP or Kerberos or similar networked authentication, when a local login fails it will try to login remotely using the provided credentials. (Not related to this question though.)

user1686
  • 10,162
  • 1
  • 26
  • 42