Ask HN: Why is OS X so slow at verifying a wrong password at sign-in?

3 points by actusual ↗ HN
When I type my password in on OSX, if it is correct it will sign me in almost instantly. If the password is wrong, it spins for several seconds, then fails to login. Why is it so slow to verify my password?

5 comments

[ 4.0 ms ] story [ 25.2 ms ] thread
It is not really OSX, but PAM [1]. And one can understand why when looking at this Stackexchange answer [2]:

> This is a security thing, it's not actually taking long to realize it. 2 vulnerabilities this solves:

> 1. this throttles login attempts, meaning someone can't pound the system as fast as it can go trying to crack it (1M attempts a sec? I don't know).

> 2. If it did it as soon as it verified your credentials were incorrect, you could use the amount of time it took for it to invalidate your credentials to help guess if part of your credentials were correct, dramatically reducing the guessing time.

[1] https://en.wikipedia.org/wiki/Pluggable_authentication_modul...

[2] https://unix.stackexchange.com/questions/2126/why-is-there-a...

Yep, OSX isn't the only system doing this, any good disk encryption program also has the same feature.
As far as I'm aware, there's an attack where you can determine how correct a password is based on how long it takes to get denied. For example, take a simple algorithm where you check the password character by character, and return as soon as you encounter a bad character. This means you can detect a subset of a correct password.
(comment deleted)
It’s a feature, to slow down brute force attacks!