In Linux, there’s a delay after we enter a wrong password at login before getting prompted for another attempt. This incorrect password delay can occur during console login, sudo command execution, and the graphical login screen.
In this tutorial, we’ll look at how to modify the wrong password delay timeout value for those three cases. All commands have been tested on Debian Buster and should work on most Linux distributions.
2. Introduction to the Problem
When we enter an incorrect password at login, there’s a delay before the system tells us so:
# login pc01 login: baeldung Password: <delay for few seconds...> Login incorrect pc01 login:
The same thing happens when we try to run a command with sudo:
$ sudo apt update [sudo] password for baeldung: <delay for few seconds...> Sorry, try again. [sudo] password for baeldung:
The delay also occurs when we enter an incorrect password at the graphical login screen.
3. The Purpose of the Delay
The failed authentication delay is basically for security reasons, such as to prevent timing attacks on string comparison or brute-force attacks.
However, computers these days are so fast that timing attacks aren’t feasible. As for brute-force attacks, instead of waiting for the delay, the attacker could just spawn another login or sudo instance to make another attempt.
Having said that, security should be an aspect of all layers, and every approach has pros and cons with different weights that we need to consider.
4. Modifying the Delay
We can modify the length of the delay in the Pluggable Authentication Modules (PAM) configuration files:
$ ls /etc/pam.d chfn cron login samba chpasswd cups mate-screensaver sddm chsh gdm-autologin newusers sddm-autologin cinnamon-screensaver gdm-fingerprint other sddm-greeter common-account gdm-launch-environment passwd su common-auth gdm-password polkit-1 sudo common-password lightdm ppp su-l common-session lightdm-autologin runuser systemd-user common-session-noninteractive lightdm-greeter runuser-l xscreensaver
PAM config files define the connection between applications (services) and the PAMs that perform the actual authentication tasks.
Let’s modify the delay for the console login, sudo, and the graphical login screen.
4.1. Modifying the Delay for Console Login
The delay timeout configuration for console login is in the login config file:
$ cat /etc/pam.d/login ... auth optional pam_faildelay.so delay=3000000 ... @include common-auth ...
As we can see, the delay is three million microseconds, or three seconds.
The minimum delay that we can set is two million microseconds, or two seconds. If we set it to less than two seconds, it uses the default value from the pam_unix.so module, which is two seconds.
The pam_unix.so module is configured in the common-auth file that the login file includes:
$ cat /etc/pam.d/common-auth ... auth [success=1 default=ignore] pam_unix.so nullok_secure ...
If we want less than two-second delay, we can set the delay value in the login file, and update common-auth by adding nodelay at the end of this line:
$ sudo vi /etc/pam.d/common-auth ... auth [success=1 default=ignore] pam_unix.so nullok_secure nodelay ...
We should note that, after this change, all config files that inherit common-auth without adding their own delay will have no delay.
4.2. Modifying the Delay for sudo
The delay timeout configuration for sudo is in the sudo config file:
$ cat /etc/pam.d/sudo #%PAM-1.0 @include common-auth @include common-account @include common-session-noninteractive
As we can see, it doesn’t have its own failed authentication delay. It includes common-auth which will call the pam_unix.so module. The module has a default two-second delay timeout .
However, we can add a shorter or longer delay if we want. For example, here’s how we can make it longer (five seconds):
$ sudo vi /etc/pam.d/sudo #%PAM-1.0 auth optional pam_faildelay.so delay=5000000 @include common-auth @include common-account @include common-session-noninteractive
Or if we want to remove the delay, we can copy the content of common-auth and paste it in sudo so it won’t affect other config files that inherit it, and then add nodelay:
$ sudo vi /etc/pam.d/sudo #%PAM-1.0 # content of common-auth: auth [success=1 default=ignore] pam_unix.so nullok_secure nodelay auth requisite pam_deny.so auth required pam_permit.so @include common-account @include common-session-noninteractive
Consequently, the changes above will cause no delay for failed authentication for sudo.
4.3. Modifying the Delay for Simple Desktop Display Manager (SDDM)
The delay timeout configuration for SDDM or the graphical login screen is in the sddm config file:
$ cat /etc/pam.d/sddm ... @include common-auth ...
The sddm config file is similar to sudo – it doesn’t have its own delay for failed authentication. However, we can add a shorter or longer delay if we want, just as we did for sudo earlier.
In this article, we learned about modifying the delay timeout for failed authentication using PAM.