Login lock out after 3 tries is too aggressive IMO, should be 5+

DoTheEvolution · 2022-09-08 22:24:43

Talking about this

Lock out user after three failed login attempts
As of pambase 20200721.1-2, pam_faillock.so is enabled by default to lock out users for 10 minutes after 3 failed login attempts in a 15 minute period

1. try - your fingers just go again without your brain even thinking about it
2. try - your brain will go like what? But fingers are and muscle memory are doing their thing
3. try - you now actually realize whats up and are more focused and write it slowly with care, making sure you are not with the fingers placement bit off
4. try - you noticed caps lock or one key failing or some other issue but its already too late and you are locked out

The first tries you wasted without thinking that much attention now cost you time and effort.
And its not like brute forcing would significantly changed if 5 attempts would be allowed
hell I think we could prove mathematically that 10 attempts would not make real difference

Arch was without this for almost 20 years
we had infinite allowed attempts
going from the infinite to 3 can be rounded down like going to one single attempt
and what sane person would force default lock out on all millions of arch users on a single wrong attempt?
its pure logic

And yes, I know how to change it
And yes, I know changing stuff from upstream is so much extra work.. but its a distro and not just glued upstreams

Daerandin · 2022-09-08 22:39:36

Personally I prefer Arch to stick to upstream defaults. It makes it much easier to rely on upstream documentation without needing to worry about distro specific changes. It can obviously be discussed if three attempts is too little, but I think such a discussion is best done upstream. The linked bugreport on the wiki page also seem to indicate that the devs also share this view.

Besides, nothing is stopping you from changing it to whatever you want it to be on your system.

jasonwryan · 2022-09-08 22:53:33

DoTheEvolution wrote:

and what sane person would force default lock out on all millions of arch users on a single wrong attempt?

As pointed out, this isn't a problem for anyone but you. Set up your system however you like. If you really want a discussion about Arch patching upstream, lose the hyperbole and make an actual case for it.

Trilby · 2022-09-08 23:04:35

DoTheEvolution wrote:

Arch was without this for almost 20 years
...its pure logic

Well by that very same logic, the arch forums were without you for 12 years...

We all miss the good old days.

GaKu999 · 2022-09-08 23:46:24

Only instances where the default 3 has caused me trouble weren't even related to login at all, just repeated canceled sudo calls from a derp.

sudo does seem to trigger faillock regardless of choice, but this isn't a sudo thread so the point is moot.

seth · 2022-09-09 07:36:41

1. try - your fingers just go again without your brain even thinking about it
2. try - your brain will go like what? But fingers are and muscle memory are doing their thing
3. try - you now actually realize whats up and are more focused and write it slowly with care, making sure you are not with the fingers placement bit off
4. try - you noticed caps lock or one key failing or some other issue but its already too late and you are locked out

Meanwhile, in reality land…

Seriously, how often did your list happen to you (lmg: once. just yesterdaay.) and how often do you think that happens in reality at all?
And what are the implications?

Pretty much every login prompt I came along has a caps/numlock warning - despite me having indicators on the keyboard and caps lock being mapped to a more useful function.
If such indication is missing, you'll have a hard time figuring the cause without a plain echo (you do not randomly guess that it's the caps lock or the wrong layout)

And if you keyboard is physically broken, the 10 minute cooldown will probably not even cover the time to fix that and until the latter happened you're locked out from your account no matter what (cause you still have to punch the key)
And without close attention to the ******** echo count, you're not gonna figure that either (leaving aside cases where the wires are crossed and the key misfires the wrong input)

On the bottom line, you're presenting a case where your login environment prevents you from a controlled input and deduce that therefore there should be no faillock by default for everyone.
That's a fallacy.
Even without the faillock your login environment will still be insufficient.

Also let's be real, you just fat-fingered it

karabaja4 · 2022-09-09 12:36:42

Let's not fat-finger shame other people Different people have different methods of interacting with computers. I for one am not comfortable with anything less than 10 attempts.

But, Arch keeping true to the upstream (within reason) should be a good enough argument not to change this.

Last edited by karabaja4 (2022-09-09 12:37:16)

dogknowsnx · 2022-09-09 12:48:49

karabaja4 wrote:

Let's not fat-finger shame other people

Exactly - it might just as well happen with butter-fingers sliding around
My 5 pesos: Increasing security by "default" is the right direction... If you want more tries - just change it.

Arch Linux

#1 2022-09-08 22:24:43

Login lock out after 3 tries is too aggressive IMO, should be 5+

#2 2022-09-08 22:39:36

Re: Login lock out after 3 tries is too aggressive IMO, should be 5+

#3 2022-09-08 22:53:33

Re: Login lock out after 3 tries is too aggressive IMO, should be 5+

#4 2022-09-08 23:04:35

Re: Login lock out after 3 tries is too aggressive IMO, should be 5+

#5 2022-09-08 23:46:24

Re: Login lock out after 3 tries is too aggressive IMO, should be 5+

#6 2022-09-09 07:36:41

Re: Login lock out after 3 tries is too aggressive IMO, should be 5+

#7 2022-09-09 12:36:42

Re: Login lock out after 3 tries is too aggressive IMO, should be 5+

#8 2022-09-09 12:48:49

Re: Login lock out after 3 tries is too aggressive IMO, should be 5+

Board footer