[kscreenlocker] [Bug 415443] New: Wrong password delay should be configurable

Sat, 21 Dec 2019 20:53:41 -0800 

https://bugs.kde.org/show_bug.cgi?id=415443

            Bug ID: 415443
           Summary: Wrong password delay should be configurable
           Product: kscreenlocker
           Version: unspecified
          Platform: Manjaro
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: greeter
          Assignee: plasma-b...@kde.org
          Reporter: radon.n...@gmail.com
                CC: bhus...@gmail.com
  Target Milestone: ---

SUMMARY
When I type in a wrong password on the KDE lock screen, the input field is
grayed out for three seconds and I must wait to try again. This behavior should
be optional.

STEPS TO REPRODUCE
1. Log in
2. Lock screen
3. Type in wrong password

OBSERVED RESULT
The password field is grayed out for three seconds.

EXPECTED RESULT
I wish for there to be no delay, or equally as good -- a delay of around 100ms.

SOFTWARE/OS VERSIONS
Linux: 4.19.88
KDE Plasma Version: 5.17.4
KDE Frameworks Version: 5.64.0
Qt Version: 5.13.2

ADDITIONAL INFORMATION
Whenever somebody proposes that the wrong password delay be configurable,
somebody else says "but that's bad security practice". I don't agree. A delay
of three seconds is really annoying from a user perspective, whereas a delay of
100ms is unnoticeable. But both delays will suffice entirely to deter
brute-force attackers.

It would be ideal if the default delay is inherited from PAM, because -- well,
why not? Isn't the whole point of PAM for it to be a central place to configure
this sort of thing? By configuring PAM, I change the security profile of my tty
logins, my sudo prompts, my remote logins, ... but not KDE, it seems.

But really, this should be configurable. What I had to do is patch the source
of kscreenlocker (and it sure did take a while to figure out that kscreenlocker
was the culprit). For other hapless users like myself, the process is as
follows on Manjaro/Arch:

    $ yay -G kscreenlocker
    $ cd kscreenlocker
    $ makepkg --nobuild

Now go into src/ and find the line 'm_graceLockTimer->setInterval(3000);'. Edit
3000 to be 0 instead.

    $ makepkg --noextract -si

Log out and back in -- voila!

I originally opened this bug report: https://github.com/sddm/sddm/issues/1218

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to