Ubuntu linux takes longer time for incorrect passwords

linux time ubuntu login pam

When I log into my Ubuntu 8.10 box with a correct password the system figures out almost instantaneously that the password is correct and logs me in. However, if I supply an incorrect password, it takes significantly longer to figure out that the password is incorrect and to show me the login screen.

Why is this? Should it not take the same amount of time in both cases?

-- Thanks


Solution 1:

It's a security feature to slow down people who are trying to guess your password. It takes Ubuntu the same amount of time to see if it's correct or not, but then it waits for a few seconds before letting you try again.

Solution 2:

As Dentrasi has explained - this is to make it more difficult for the attacker to carry out a brute-force attack on the password store. In almost all circumstances, you don't to change this behavior.

If you have a good reason to (which I can't think of), you can modify it via /etc/login.defs - See the login.defs(5) man page.

FAIL_DELAY (number)
  Delay in seconds before being allowed another attempt after a login failure.

Hmmm... At the end of the manpage...

Much of the functionality that used to be provided by the shadow password suite
is now handled by PAM. Thus, /etc/login.defs is no longer used by passwd(1), or
less used by login(1), and su(1). Please refer to the corresponding PAM
configuration files instead.

The appropriate PAM entry instead...

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

Solution 3:

pam.d takes care of FAIL_DELAY these days. Add this to /etc/pam.d/common-auth (for Debian / Ubuntu):

auth required pam_unix.so nodelay

Fedora / Redhat: add this to /etc/pam.d/system-auth:

auth required /lib/security/$ISA/pam_unix.so nodelay

$ISA is just used to select between 32-bit and 64-bit modules and is already defined.

Solution 4:

Speaking of PAM, if a computer is set up for LDAP or Kerberos or similar networked authentication, when a local login fails it will try to login remotely using the provided credentials. (Not related to this question though.)

Related

Should our company allow employees to forward their Exchange email to GMail?
If a RAID controller fails, does it disrupt service until it's replaced?
How does the internet really work?
Windows Legendry
Using at sign (@) in usernames linux. Is it safe? [duplicate]
Do you prefer to administer servers through a GUI or CLI? [closed]
A way to finish off a dying hard drive so it can be sent in for "repair"
How do you persuade users to abandon their personal folders?
Successfully, permanently ban a user from a website? [closed]
A decent command-line shell for Windows
How common is NAT within companies (one public ip address)?
Is there any DNS system or Service that is HTTPS aware?