On Fri, 12 Apr 2024 at 13:53, Martin Rys <spleefer90@xxxxxxxxx> wrote:
> It's common practice to not give an attacker more info than needed
Which does not necessitate LYING to the user.
I think we're a bit over-reacting here. I've fallen foul of this myself also, trying to log into my X not realising that my keyboard layout wasn't applied correctly.
But I'm actually in favour restricting the amount of login attempts that can be done, as it is in line with PCI/DSS practices and although many people won't know what that means, just consider them best-practices.
The implementation of these timeouts don't provide a method for sending an extra message to the user as to why their login attempt failed, but Linux is open source, so feel free to submit proposals and pull requests to make it more to your liking :-P
