What's the point of faillock?

On a default Arch install, faillock makes it so that if you enter the sudo password wrong too many times, even the correct password will be rejected until the timer is up.

At the same time, you can type faillock --reset without sudo and reset the timer.

I can see a dubious security benefit to not giving people too many guesses. But there is already a delay when you type a wrong password, so it's not like they can brute force it. And if your password is so easy that a few guesses are enough... Well, they can just wait 5 minutes and guess anyway.

Is there some logic to why it gets set up in this silly way? I know Arch doesn't customize packages, but the author of faillock must have had some kind of reason. Is there some security advantage to enabling this failed password timeout, but leaving faillock --reset runnable without knowing the password?

is a duplicate

This question has been asked before and has already been answered. It should be marked as a duplicate.

Please enter the URL of the proposed duplicate in the details field below.

not constructive

This question cannot be answered in a way that is helpful to anyone. It's not possible to learn something from possible answers, except for the solution for the specific problem of the asker.

Communities

What's the point of faillock?

0 comment threads

0 answers