Quoting Dmitri Gribenko (griboz...@gmail.com): > Package: login > Version: 1:4.1.3.1-1 > Severity: normal > > > If you enter an invalid login, you get "login incorrect" immediately. > Expected > behavior is that password should be asked regardless of login correctness. > This is to mitigate user enumeration attacks.
login uses PAM for this and defaults settings are correct wrt brute force attackes, with a 3 seconds delay before answering "Login incorrect". Please check your /etc/pam.d/login file, it's probably missing a line like this: auth optional pam_faildelay.so delay=3000000
signature.asc
Description: Digital signature