Menu
This question has always troubled me.
On Linux, when asked for a password, if your input is the correct one, it checks right away, with almost no delay. But, on the other hand, if you type the wrong password, it takes longer to check. Why is that?
I observed this in all Linux distributions I've ever tried.
739
Passwords are your first line of defense Using the same password across multiple accounts can lead to credential stuffing. Credential stuffing is when hackers use previously stolen login credentials from one website and then “stuff” these credentials into other websites until they find matches.
First of all, it simply takes longer to confirm that a password is invalid. Your local computer retains a password cache. This password cache improves performance of local authentication operations, such as unlocking a workstation.
Why does it say my password is wrong when it's right? Because you're wrong. If you've typed in your username correctly and are typing in what you think is your password correctly, and it's still telling you wrong username or password, then one or both of those two items are no longer correct.
Entering a wrong password causes Windows 7 to iterate through its password caching in order to compare all entries. This causes a delay. If nothing matched in the cache, the computer then has to contact the Domain Controller to validate the password against the account. This causes a delay.
It's actually to prevent brute force attacks from trying millions of passwords per second. The idea is to limit how fast passwords can be checked and there are a number of rules that should be followed.
That last one is particularly important. It means no helpful messages like:
Your user name is correct but your password is wrong, please try again or:
Sorry, password wasn't long enough Not even a time difference in response between the "invalid user and password" and "valid user but invalid password" failure reasons.
Every failure should deliver exactly the same information, textual and otherwise.
Some systems take it even further, increasing the delay with each failure, or only allowing three failures then having a massive delay before allowing a retry.
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
