On 2024-04-12 at 13:59:08 +0100, Andy Pieters <arch-general@xxxxxxxxxxxxxxxxx> wrote: > On Fri, 12 Apr 2024 at 13:53, Martin Rys <spleefer90@xxxxxxxxx> wrote: > > > > It's common practice to not give an attacker more info than needed > > > > Which does not necessitate LYING to the user. In the old days, login(1) used to try to be helpful by separating bad usernames from bad passwords. Because that's bad for security, bad implementations changed to "login failed," but good implementation changed to "bad username or password" and also referenced the caps lock and/or num lock keys. The difference is subtle, but a huge win for usability, and not a loss for security. > I think we're a bit over-reacting here. I've fallen foul of this myself > also, trying to log into my X not realising that my keyboard layout wasn't > applied correctly. That's a different class of problem, although very much on a likely path to getting locked out. At least my screen locker is nice enough to tell me the state of my caps lock key, and it could tell me the keyboard layout, too, if I hadn't disabled it. Some display managers have similar capabilities. Fans of Windows used to say that Unix was like a car whose dashboard contained nothing, until something (anything) went wrong, and then displayed a flashing red question mark. > But I'm actually in favour restricting the amount of login attempts that > can be done, as it is in line with PCI/DSS practices and although many > people won't know what that means, just consider them best-practices. Many of those practices make a lot of assumptions that don't apply to my laptop, of which I am the only user, and which nearly never leaves my physical possession. Yes, it's connected to the internet, and yes, it could be stolen (from my couch, from a hotel room, inside my backpack, etc.), but best practices for a semi-public or corporate shared server are much different from best practices for my non-shared, effectively single-user laptop. > The implementation of these timeouts don't provide a method for sending an > extra message to the user as to why their login attempt failed, but Linux > is open source, so feel free to submit proposals and pull requests to make > it more to your liking :-P Someone already posted a link to a config file that makes a personal computer behave more like a personal computer. So all we're talking about here (I think) is tweaking the settings for your particular needs.
