4
1
I use Windows 7 on a Lenovo laptop. When I enter a wrong password, either when I'm connected to our network or when disconnected, it takes quite a lot of time for Windows to report the password is wrong. And by 'a long time' I mean as much as 20-30 seconds sometimes. Now, even, say, 5 is a lot, I would say - so whatever I can do to reduce this, I want to do (including any artificial security-related delay for incorrect passwords).
einpoklum
Posted 2013-08-23T20:36:16.063
Reputation: 5 032
3
First as a direct Windows 7 answer from MSDN, the OS is built with the following decision branching for password validation:
Entering a wrong password causes Windows 7 to iterate through its password caching in order to compare all entries. This causes a delay.
If nothing matched in the cache, the computer then has to contact the Domain Controller to validate the password against the account. This causes a delay.
Then when all else has failed in testing for a valid password, you hit the standard bad password delay. For the reasons mentioned over on ServerFault.
After reviewing password policy on Microsoft Technet for Windows 7, Server 2003, Server 2008, the following settings are possible:
Password History, Minimum Password Length, Maximum Password Age, Minimum Password Age, ObservationWindow, LockoutDuration, LockoutThreshold, badPasswordTime, badPwdCount, ntPwdHistory, ForceUnlockLogon
If you're on a domain, this would be set through a GPO and out of your control, however; locally for a computer on a workgroup, you can make the settings through SecPol.msc under Security Settings -> Account Lockout Policy
The only setting even close, badPasswordTime, is the timestamp the last bad password was entered.
In all the settings, nothing references failed password delay, so it's apparently hard coded into the OS.
Now if you're on Linux, you can add parameters to PAM to allow removal of this delay, if it was set up to accept the parameter, otherwise, you have to recompile the pam module that controls this function with settings of your own choice.
Fiasco Labs
Posted 2013-08-23T20:36:16.063
Reputation: 6 368
1Also, why would iterating the caches cause a delay? And why does contacting the domain controller take so much time? – einpoklum – 2014-08-23T22:28:35.157
1But I bet there's some sort of timeout for when you can't contact the domain controller... – einpoklum – 2013-08-26T17:51:07.627
5
Have you seen this (over on ServerFault) yet? Why windows 7, “wrong password ” takes long time? I think the answer to 'how to reduce it' is: "You can't, it's a security feature hard-coded into the OS".
– Ƭᴇcʜιᴇ007 – 2013-08-23T20:48:22.2303Those answers are ridiculous. That's not 'quick'. If you can enter a password - even using some computerized keyboard replacement - once every second it would still take you a ridiculous amount of time to brute-force anything. Plus, the delay could be on the 3rd, or 5th, or 10th attempt onwards. ... but regardless of this, none of the answers there says "hard-coded"; plus we're dealing with a delay that's longer than what I experience on other machines. – einpoklum – 2013-08-23T21:21:10.740
1Sorry you don't like standard security features. Just don't enter bad passwords and you'll be ok. Keyboarding classes? Roboform like password safe? – Fiasco Labs – 2013-08-24T04:58:33.180
3@FiascoLabs: Thanks for lecturing me, I feel much more enlightened. Now I really like unconfigurable default 'security' features. – einpoklum – 2013-08-25T15:28:02.963
You're very welcome! When you find the answer, you can post back and take credit for it. At least you're not hitting an unreasonable password failure lockout. Now that's really annoying. The best is 2 tries and a permanent lockout, with call needed to unlock. Then you know your IT department likes making life a pain. – Fiasco Labs – 2013-08-25T17:26:17.397
Windows 8 seems to have increased the lockout delay to the point where it's literally quicker to forcefully shutdown the computer and reboot after entering a wrong password, rather than wait for the timeout to pass. – Ponkadoodle – 2013-11-16T21:30:44.583