Maybe by default do not lock out user after 3 failed login attempts

I think it would be more unexperienced-user friendly that /etc/security/faillock.conf had deny=0 as default value.

Now, for instance, if you try to unlock your session and you input the wrong password three times in a row, as you are sure you are imputing the right one, maybe because you are using your work's instead of your home's :grin:, the default security protocol takes you absolutely by surprised and you lose your mind for a while, thinking about CIA conspiracies and someone having taken over your PC :crazy_face:, moreover because the default Garuda KDE lock screen shows a message explaining that you are locked out, but you CANNOT see it :scream:, because it shows it only for some milliseconds and then it overwrites it with the standard login-failure message (I realized once I discovered what was going on).

It also does not help that the KUser GUI program does not have this locked-out status into account and doesn't show it anywhere.

Just an idea.

╰─λ inxi -Faz
System:    Kernel: 5.15.4-zen1-1-zen x86_64 bits: 64 compiler: gcc v: 11.1.0
parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen root=UUID=ccb67658-1e21-4b0f-b3fb-2d3914c7f62a rw
[email protected] quiet splash rd.udev.log_priority=3 vt.global_cursor_default=0
systemd.unified_cgroup_hierarchy=1 loglevel=3
Desktop: KDE Plasma 5.23.3 tk: Qt 5.15.2 info: latte-dock wm: kwin_x11 vt: 1 dm: SDDM Distro: Garuda Linux
base: Arch Linux
Machine:   Type: Desktop Mobo: ASUSTeK model: PRIME B250-PLUS v: Rev X.0x serial: <filter> UEFI-[Legacy]: American Megatrends
v: 0304 date: 11/14/2016
Battery:   Device-1: hidpp_battery_0 model: Logitech Wireless Keyboard K540/K545 serial: <filter>
charge: 100% (should be ignored) rechargeable: yes status: Discharging
CPU:       Info: Quad Core model: Intel Core i7-7700 bits: 64 type: MT MCP arch: Kaby Lake family: 6 model-id: 9E (158)
stepping: 9 microcode: EA cache: L2: 8 MiB
flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx bogomips: 57600
Speed: 4089 MHz min/max: 800/4200 MHz Core speeds (MHz): 1: 4089 2: 4089 3: 4157 4: 4096 5: 4100 6: 4097 7: 4096
8: 4100
Vulnerabilities: Type: itlb_multihit status: KVM: VMX disabled
Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Type: mds mitigation: Clear CPU buffers; SMT vulnerable
Type: meltdown mitigation: PTI
Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
Type: spectre_v2 mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
Type: srbds mitigation: Microcode
Type: tsx_async_abort mitigation: TSX disabled
Graphics:  Device-1: Intel HD Graphics 630 vendor: ASUSTeK driver: i915 v: kernel bus-ID: 00:02.0 chip-ID: 8086:5912
class-ID: 0300
Device-2: NVIDIA GP107 [GeForce GTX 1050] vendor: ASUSTeK driver: nvidia v: 495.44 alternate: nouveau,nvidia_drm
bus-ID: 01:00.0 chip-ID: 10de:1c81 class-ID: 0300
Display: x11 server: X.Org 1.21.1.1 compositor: kwin_x11 driver: loaded: modesetting,nvidia display-ID: :0
screens: 1
Screen-1: 0 s-res: 6400x1440 s-dpi: 91 s-size: 1786x401mm (70.3x15.8") s-diag: 1830mm (72.1")
Monitor-1: DP-0 res: 2560x1440 hz: 60 dpi: 92 size: 708x398mm (27.9x15.7") diag: 812mm (32")
Monitor-2: HDMI-1-1 res: 1920x1080 dpi: 96 size: 509x286mm (20.0x11.3") diag: 584mm (23")
Monitor-3: DP-1-1 res: 1920x1080 hz: 60 dpi: 102 size: 477x268mm (18.8x10.6") diag: 547mm (21.5")
OpenGL: renderer: NVIDIA GeForce GTX 1050/PCIe/SSE2 v: 4.6.0 NVIDIA 495.44 direct render: Yes
Audio:     Device-1: Intel 200 Series PCH HD Audio vendor: ASUSTeK driver: snd_hda_intel v: kernel bus-ID: 00:1f.3
chip-ID: 8086:a2f0 class-ID: 0403
Device-2: NVIDIA GP107GL High Definition Audio vendor: ASUSTeK driver: snd_hda_intel v: kernel bus-ID: 01:00.1
chip-ID: 10de:0fb9 class-ID: 0403
Sound Server-1: ALSA v: k5.15.4-zen1-1-zen running: yes
Sound Server-2: JACK v: 1.9.19 running: no
Sound Server-3: PulseAudio v: 15.0 running: no
Sound Server-4: PipeWire v: 0.3.40 running: yes
Network:   Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet vendor: ASUSTeK PRIME B450M-A driver: r8169
v: kernel port: d000 bus-ID: 03:00.0 chip-ID: 10ec:8168 class-ID: 0200
IF: enp3s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Bluetooth: Device-1: Cambridge Silicon Radio Bluetooth Dongle (HCI mode) type: USB driver: btusb v: 0.8 bus-ID: 1-1:2
chip-ID: 0a12:0001 class-ID: e001
Report: bt-adapter ID: hci0 rfk-id: 0 state: up address: <filter>
Drives:    Local Storage: total: 14.1 TiB used: 199.67 GiB (1.4%)
ID-1: /dev/sda maj-min: 8:0 vendor: Western Digital model: WDS500G1B0A-00H9H0 size: 465.76 GiB block-size:
physical: 512 B logical: 512 B speed: 6.0 Gb/s type: SSD serial: <filter> rev: 10WD scheme: MBR
SMART Message: Unknown smartctl error. Unable to generate data.
ID-2: /dev/sdb maj-min: 8:16 vendor: Seagate model: ST4000DM005-2DP166 size: 3.64 TiB block-size: physical: 4096 B
logical: 512 B speed: 6.0 Gb/s type: HDD rpm: 5980 serial: <filter> rev: 0001 scheme: GPT
SMART Message: Unknown smartctl error. Unable to generate data.
ID-3: /dev/sdc maj-min: 8:32 type: USB vendor: Seagate model: Desktop size: 7.28 TiB block-size: physical: 4096 B
logical: 512 B type: N/A serial: <filter> rev: 040B scheme: GPT
SMART Message: A mandatory SMART command failed. Various possible causes.
ID-4: /dev/sdd maj-min: 8:48 type: USB vendor: Western Digital model: WD30EZRZ-00Z5HB0 size: 2.73 TiB block-size:
physical: 4096 B logical: 4096 B type: HDD rpm: 5400 serial: <filter> rev: 1065 scheme: MBR
SMART Message: A mandatory SMART command failed. Various possible causes.
Partition: ID-1: / raw-size: 449.26 GiB size: 449.26 GiB (100.00%) used: 199.67 GiB (44.4%) fs: btrfs block-size: 4096 B
dev: /dev/sda4 maj-min: 8:4
ID-2: /home raw-size: 449.26 GiB size: 449.26 GiB (100.00%) used: 199.67 GiB (44.4%) fs: btrfs block-size: 4096 B
dev: /dev/sda4 maj-min: 8:4
ID-3: /var/log raw-size: 449.26 GiB size: 449.26 GiB (100.00%) used: 199.67 GiB (44.4%) fs: btrfs
block-size: 4096 B dev: /dev/sda4 maj-min: 8:4
ID-4: /var/tmp raw-size: 449.26 GiB size: 449.26 GiB (100.00%) used: 199.67 GiB (44.4%) fs: btrfs
block-size: 4096 B dev: /dev/sda4 maj-min: 8:4
Swap:      Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default)
ID-1: swap-1 type: zram size: 15.49 GiB used: 2.2 MiB (0.0%) priority: 100 dev: /dev/zram0
Sensors:   System Temperatures: cpu: 29.8 C mobo: 27.8 C gpu: nvidia temp: 53 C
Fan Speeds (RPM): N/A gpu: nvidia fan: 0%
Info:      Processes: 271 Uptime: 24m wakeups: 2 Memory: 15.49 GiB used: 5.86 GiB (37.8%) Init: systemd v: 249 tool: systemctl
Compilers: gcc: 11.1.0 clang: 13.0.0 Packages: apt: 0 pacman: 1389 lib: 334 Shell: fish v: 3.3.1 default: Bash
v: 5.1.8 running-in: konsole inxi: 3.3.08

The user is warned. You just can't fix stupid. Nothing ever works.

2 Likes

This is the type of answer that makes a Forum seem unfriendly. I am sorry to tell you this.

If someone broke into my house and took my laptop I would hope it locked them out after 3 wrong tries.

3 Likes

If someone takes your laptop, unless you data is encrypted, they can access it with no sweet, password or no password.

I just hope that they are dumber than me. :crazy_face:

2 Likes

No you aren't or you would not have done so. You put out an idea that I disagreed with, and I told you why. Am I not allowed to do so, or is it because I disagreed with you?

3 Likes

It's because you called me stupid.

I did not.

2 Likes

And I am sorry that I had to tell you that, yes, because if you were nicer, I would not have to.

Hi @anon73488725 ,

The 3 times password failure in a row is a security feature (and not a bug). Even if we increase the attempts to, say 5, the chances are rare that the user will remember correct password in 4th or 5th attempt.

Also 3 chances are pretty common ( I guess ) in most the distros.
I personally never locked me out this way.

But what I agree with you is that we should clearly state that user has exhausted 3 attempts for password.

5 Likes

Everyone puts on the jacket that fits them.

I do not see where he has offended you.

Well, the user is not warned. Where is the user warned?

You are worried about being a friendly Forum. Well I pointed out a clear example of a reply that makes someone, that is me, feel not welcome and makes the Forum seem unfriendly. Do with it as you wish.

This part can be fixed. But you still can't fix stupid. Some people just cannot and should not use computers. Have you ever met one? I have. Dozens over the years. They're dangerous people and should not be allowed around computers. Or firearms.

1 Like

Possibly, but that's not Garuda's target audience. It would also represent a divergence from the Arch defaults that would require additional effort to maintain.

If you want a change to the defaults then you'll have to come up with a better reason than "having a security policy is surprising".

Keep in mind that you are talking to people from all over the world, and the sentence "You can't fix stupid" makes perfect sense to me - if a "normal" user regularly types their password incorrectly multiple times, then either they need to use an easier password to type or type more slowly so they don't make a mistake.

Even in the case of someone with difficulty using a keyboard, they will have difficulty no matter what, so I'm not sure that this lock-out policy makes the computer any more difficult to use.

There are different types of "friends". I view a friend as someone who can tell you when you're wrong and call you out on bad behaviour. If you want friends who only ever tell you how wonderful you are then this is not that place.

This was a conscious decision taken during the early months of the forum - do helpers here bend over backwards to spoon-feed and enable "learned helplessness" of "help vampires" then get bored, frustrated, burn out, and leave, or do we set a basic expectation of people trying to help themselves first rather than thinking they are entitled to immediate personal help?

5 Likes

Unfortunately, security features will always be seen as an inconvenience by some. However, the alternative is far worse. If the distro is seen (or claimed) to have poor security practices it gets roasted by anyone with an axe to grind with the distro.

BTW, semantics and language differences might have made you think @c00ter called you stupid, (but he did not). It was more of a general comment on humanity as a whole (not you specifically).

5 Likes

I just made a suggestion from a experience I just had. I was not asking for help nor was I complaining about anything. And now I am being schooled because I politely pointed out that some reply made me feel unwelcome.

The user is warned & the user did not see the warning -> you cannot fix stupid.

I did not see the warning -> I am stupid.

Right, and a number of reasons were given as to why the change is not going to be made based on that suggestion.

However, this is a bug that should be fixed, rather than the defaults changed.

And that was based on a misinterpretation of what was said.

So - the question is, can we all move on?

2 Likes