Why does it take so long for the computer to respond with "invalid password", when using a correct password is near instant? [duplicate]

windows linux passwords

When you enter a password and it's correct the response is practically instantaneous (i.e. the log on process).

When you enter an incorrect password (accidently, forgotten, etc) however, it takes a while (10-30 seconds) before it responds that the password was incorrect.

Why does it take so long (relatively) to say "incorrect password"?

This has always bugged me about entering incorrect passwords on Windows and linux (real and VM); I'm not sure about mac OSX as I can't remember if it's the same, been awhile since I last used a mac.

EDIT: for the sake of duplication, I'm asking in the context of a user logging on to the system at the physical computer rather than through ssh which could conceivably use somewhat different mechanisms to log in/validate credentials.


Why does it take so long (relatively) to say "incorrect password" ?

It doesn't. Or rather, it doesn't take the computer any longer to determine that your password is incorrect compared to it being correct. The work involved for the computer is, ideally, exactly the same. (Any password verification scheme that takes a different amount of time based on whether the password is correct or incorrect can be exploited to gain knowledge, however small, of the password in less time than would otherwise be the case.)

The delay is an artificial delay to make repeatedly trying to gain access by using different passwords infeasible, even if you have some idea of what the password likely is and automatic account lockout is disabled (which it should be in most scenarios, as it would otherwise allow for a trivial denial of service against an arbitrary account).

The general term for this behavior is tarpitting. While the Wikipedia article talks more about network service tarpitting, the concept is generic. The Old New Thing isn't an official source either, but Why does it take longer to reject an invalid password than to accept a valid one? does talk about this near the end of the article.

Related

Malware or strange Windows services behaviour?
Windows 7 brightness slider suddenly gone
How to show menu bar in notepad++? [duplicate]
Turn off line wrap in Gedit
Window manager which allows multiple active windows/multiple input devices?
Excel 2013 - Is there a way to turn off a chart series without removing it?
Open SQLite db in Microsoft Access?
Looking for good Inbox management methodology [closed]
How do I move every file in a tree to the root of the tree?
What are possible causes of keyboard lag on my desktop machine?
Windows UAC vs. Linux sudo
Mac firewall blocking nginx (port 80) from external side