15

I am horribly impatient and can't stand the (for me subjectively long) delay of around 2 seconds after entering an incorrect password in the login screen or also as sudo password, before I can retry typing it correctly.

Is there a way to modify the delay and reduce it to around half a second or turn it completely off, both for sudo and the login screen?

The optimal solution would include a longer delay after maybe 3 or 5 incorrect passwords, to still prevent brute-forcing.

PS: I am currently using vanilla Ubuntu 16.04 with Unity Desktop and lightdm.

muru
  • 207,228
Byte Commander
  • 110,243

3 Answers3

19

In Ubuntu, to remove the delay for incorrect passwords in the terminal, edit the file common-auth found in the folder /etc/pam.d.

sudo nano /etc/pam.d/common-auth

Then add the string nodelay to the end of the line

auth    [success=1 default=ignore]      pam_unix.so nullok_secure

so that it says

auth    [success=1 default=ignore]      pam_unix.so nullok_secure nodelay

Then save the file with nano by pressing Ctrl+X, Y, Enter.

If you want to instead change the delay, first do the step above and remove the delay completely. Then add the following line to the same file before the line you altered above:

auth       optional     pam_faildelay.so  delay=500000

This will be the first uncommented line of the file. If you add this line after the first line you edited, then it won't work.

Now you can edit the delay value to whatever you want. I put a half second like you wanted.

LateAsAlways2016
  • 421
7

If you want to lower the delay rather than disabling it altogether, edit /etc/pam.d/login:

sudoedit /etc/pam.d/login

Find the line that looks like:

auth       optional   pam_faildelay.so  delay=3000000

Change the number after delay= to a smaller value, as desired.
Note that the number is in microseconds, so 1000000 is 1 second.

Sources:

Pezo
  • 103
Eliah Kagan
  • 119,640
2

To get your system to ignore the default password security delay add nodelay to the /etc/pam.d/common-auth file:

Change this line:

auth    [success=1 default=ignore]      pam_unix.so nullok_secure

To:

auth    [success=1 default=ignore]      pam_unix.so nullok_secure nodelay

Then reboot the system for it to take effect.

Note:

Formerly done in /etc/login.defs, but now handled by PAM in the /etc/pam.d by various configuration files.

ACK_stoverflow
  • 205
George Udosen
  • 37,534