When I enter my password for superuser privileges or to log in to my Linux box, if I enter it correctly, it returns immediately, granting me access. However, if I make some typo, there is a long wait before it tells me my password is incorrect. Usually, I realize that I messed up long before the computer does.
Why is this the case? As I understand it, user passwords are encrypted and stored in /etc/shadow
, so it seems like my input should just be encrypted and compared to what is in that file for my username---which would take roughly the same time whether I enter the correct password or not. Is there some algorithmic reason, like it has to check in a bunch of extra places before it can confirm that it is incorrect? Or maybe the system knows it's an incorrect password quickly, but has to do a lot of work to keep track of incorrect login attempts. Or maybe it's just trying to punish me for screwing up.
sudo , by default, asks for your password, which is the password you use to login. On the other hand su ask for the password of the target user which, unless specified, defaults to root. Note that by default Ubuntu has an invalid password field set for root, effectively making it impossible to login as root.
An artificial delay is added after each invalid password attempt to slow down hackers. A few seconds of delay is only a minor inconvenience for real users, but it makes brute-force password guessing infeasible, because it would take several years to iterate through all combinations (even with password dictionaries).
Generally longer the password, harder for hackers to guess it. If possible use passwords with at least 15 character long.
The file is owned by the root and can only be modified by root or users with sudo privileges, although it is readable by all system users. Each user's password is stored in an encrypted form within the /etc/passwd file.
This is done totally on purpose: the reason for that is to make it impossible to guess a password using a dictionary attack.
Fast turn-around is crucial for a dictionary attack. Slowing down on incorrect passwords is a way to slow the attack to a crawl, making it impossible to execute in a meaningful time interval.
I am not sure if this question is relevant here.. I am also not sure of the correctness of my answer but I think it's for security. Making it n times slower would mean that a bruteforce attack would take n times longer.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With