[sllug-members]: bad password delays
Andrew Johnson
tehlaser at gmail.com
Thu Aug 17 09:01:53 MDT 2006
A more sensible approach might be to allow 3 unsuccessful attempts before
enforcing the delay, but that means keeping track of state, which might be
hard in the design of Xscreensaver. I've noticed Gnome's new screensaver in
Dapper Drake is less annoying when you use an incorrect password, at least
for the first two attempts. Maybe it has some of this sort of logic.
On 8/16/06, Lamont R. Peterson <lamont at gurulabs.com> wrote:
>
> On Wednesday 16 August 2006 03:57pm, Ian Robertson wrote:
> > I use Xscreensaver to lock my screen. Frequently, when coming back, I'm
> > in a hurry to type in my password, and hence mistype it. This wouldn't
> > be so bad, except that Xscreensaver takes 5 seconds before it rejects
> > the password and lets me try again. I suspect this is due to a pam
> > setting, but I've been unable to figure out how to bump it down to say,
> > 1 second. Does anyone have any thoughts on how to attack this. This is
> > on a Suse 10.0 box.
>
> There is no PAM configuration for this. To change it, I think you'd have
> to
> patch the source. I don't believe there is any command line parameter or
> other configuration directive for Xscreensaver.
>
> The timeout is there for a security reason. Obviously, if you can process
> a
> successful password entry in a millisecond, we should figure out a
> failure,
> too. The reason for the delay is so that automated password
> trial-and-error
> systems will be slowed down such that it is completely infeasible to use
> them, assuming, of course, that users actually follow good password
> policies.
>
> By the way, almost every program uses 3 seconds, not 5. I mostly use KDE,
> personally, so I'm not entirely certain about Xscreensaver's unlock dialog
> failure timing.
> --
> Lamont R. Peterson <lamont at gurulabs.com>
> Senior Instructor
> Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
>
> NOTE: All messages from this email address should be digitally signed
> with my
> 0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
> well as other keyservers that sync with MIT's.
>
>
> ______________________________________________________________________
> See http://www.sllug.org/ for latest SLLUG news, information, links.
> Join SLLUG and other UT LUG members on irc.FreeNode.net channel #Utah
> sllug-members at sllug.org
> http://www.sllug.org/cgi-bin/mailman/listinfo/sllug-members
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://sllug.org/pipermail/sllug-members/attachments/20060817/2ae47380/attachment.html
More information about the sllug-members
mailing list