How to reduce the time Windows takes to report a password is wrong?
First as a direct Windows 7 answer from MSDN, the OS is built with the following decision branching for password validation:
Entering a wrong password causes Windows 7 to iterate through its password caching in order to compare all entries. This causes a delay.
If nothing matched in the cache, the computer then has to contact the Domain Controller to validate the password against the account. This causes a delay.
Then when all else has failed in testing for a valid password, you hit the standard bad password delay. For the reasons mentioned over on ServerFault.
After reviewing password policy on Microsoft Technet for Windows 7, Server 2003, Server 2008, the following settings are possible:
Password History, Minimum Password Length, Maximum Password Age, Minimum Password Age, ObservationWindow, LockoutDuration, LockoutThreshold, badPasswordTime, badPwdCount, ntPwdHistory, ForceUnlockLogon
If you're on a domain, this would be set through a GPO and out of your control, however; locally for a computer on a workgroup, you can make the settings through SecPol.msc under Security Settings -> Account Lockout Policy
The only setting even close, badPasswordTime
, is the timestamp the last bad password was entered.
In all the settings, nothing references failed password delay, so it's apparently hard coded into the OS.
Now if you're on Linux, you can add parameters to PAM to allow removal of this delay, if it was set up to accept the parameter, otherwise, you have to recompile the pam module that controls this function with settings of your own choice.
In my case I found that the lag was caused by contacting the domain controller over wifi. This step is only possible if you're connected to the internet, so it is possible to set up a script that disables network adapters on logoff, workstation lock and workstation idle, and re-enables them when you log back in.
For instance, add a scheduled task that triggers on workstation lock with an action to disable the wifi network adapter
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "Disable-NetAdapter -Name WiFi -Confirm:$false"
You can find the names of your network adapters in powershell
netsh interface show interface
Add a similar script to the group policy logoff. Then do the same with Enable-NetAdapter