Why is there a big delay after entering a wrong password?

I notice a weird (well, according to me) thing about passwords. For example, if I type an incorrect password during login, there will be a few seconds’ delay before the system tells me so. When I try to sudo with a wrong password I would also have to wait before the shell says “Sorry, try again”.

I wonder why it takes so long to “recognize” an incorrect password? This has been seen on several distributions I use (and even OSX), so I think it’s not a distribution specific thing.

Asked By: phunehehe

||

This is a security thing, it’s not actually taking long to realize it. 2 vulnerabilities this solves:

  1. this throttles login attempts, meaning someone can’t pound the system as fast as it can go trying to crack it (1M attempts a sec? I don’t know).

  2. If it did it as soon as it verified your credentials were incorrect, you could use the amount of time it took for it to invalidate your credentials to help guess if part of your credentials were correct, dramatically reducing the guessing time.

to prevent these 2 things the system just takes a certain amount of time to do it, I think you can configure the wait time with PAM ( see Michael’s answer ).

Security Engineering ( 3rd ed., Amazon | 2nd ed., free ) gives a much better explanation of these problems. See chapter 2 (PDF) — particularly §2.4 and §2.5.3.3.

Answered By: xenoterracide

This is intentional, to try and limit brute forcing. You can usually modify it by looking for the FAIL_DELAY configuration entry in /etc/login.defs and changing its value (mine is 3 seconds by default), although the comment in that file makes it sound like PAM will enforce at least a 2 second delay no matter what

Answered By: Michael Mrozek

On modern linux systems, the reason is that pam_unix.so imposes such a delay. As previously reported, this can be configured down to two seconds by changing FAIL_DELAY in /etc/login.defs. If you want to reduce the delay further, you have to give pam_unix.so the “nodelay” option. For example, on my system, if you trace the includes starting from /etc/pam.d/sudo, you find you have to edit the following line of /etc/pam.d/system-auth:

auth      required  pam_unix.so     try_first_pass nullok

and change it to this:

auth      required  pam_unix.so     try_first_pass nullok nodelay

Unfortunately, the way my linux distro (arch) configures things, that very same system-auth file gets included by system-remote-login, which is used by sshd.

While it is safe to eliminate the delay on sudo, because that is logged, only used by local users, and bypassable by local attackers anyway, you probably don’t want to eliminate this delay for remote logins. You can of course fix it by writing a custom sudo that doesn’t just include the shared system-auth files.

Personally, I think the delay on sudo (and ignoring SIGINT) is a big mistake. It means users who know they mistyped the password can’t kill the process and get frustrated. Of course, you still can stop sudo with Ctrl-Z, as sudo doesn’t catch SIGTSTP, and after stopping it you can kill it with kill -9 (SIGKILL). It’s just annoying to do. So that means an automated attack could fire off sudos on pseudo-terminals at a super high rate. But the delay frustrates legitimate users and encourages them to suspend their root shells instead of exiting them to avoid having to sudo again.

Answered By: user3188445