Hacker News new | ask | show | jobs
by The_President 13 days ago
The Bluetooth integration needs work - missing features such as "never connect automatically."

Default lock screen experience still has a needless delay of 5 seconds when entering a wrong (even blank wrong) password, even on the first attempt.

+1 on the gamma controls
4 comments
timhh 12 days ago
> Default lock screen experience still has a needless delay of 5 seconds when entering a wrong (even blank wrong) password, even on the first attempt.

I suspect that is not KDE's fault (or Wayland's) - it's probably PAM, which by default has a 2 second delay (+/- 50%). That default is extremely difficult to change, but you can configure it. See my instructions here: https://github.com/linux-pam/linux-pam/issues/778#issuecomme...

Also if you follow that issue you can see I've been trying to convince the PAM developers to fix it (by changing it to a 0.5 second delay, which is much more tolerable and no less secure). Unfortunately they have this weird idea that users want the delay, because it lets them recompose their thoughts after getting the password wrong or something like that.

link
garciansmith 12 days ago
Wow, that has bugged me for years. Frustrating it's not easily configurable.
link
mschuster91 12 days ago
Good lord that thread is a dumpster fire. Thanks for finding out wtf is causing this, it has annoyed me for two darn decades, but never enough to go as deep into finding the causeā€¦
link
dannyfritz07 12 days ago
Bluetooth autoconnect configuration is a Wayland issue? I honestly would have never guessed. I always figured it was the responsibility of the DE or bluez service.
link
bayindirh 12 days ago
Well, seeing how systems are brute-forced and how much speed you can achieve today, these delays are more and more welcome on my end.
link
pseudalopex 12 days ago
Authentication systems had lock out periods or increasing delays since decades. 1 attempt per 5 seconds and 12 attempts per minute would be equivalent for brute force. And 12 attempts per minute would be a very loose lock out policy.
link
bayindirh 11 days ago
However, it's a good starting point for any systems which might be user facing and reasonably secured by the network around the system.

There's such thing as bad defaults and starting too heavy-handed is starting with bad defaults.

In short, current default is a good compromise and a good default.

link
mariusor 12 days ago
That sounds like tarpitting, or perhaps timing attacks protection, rather than anything wrong in the password check pipeline.
link