Post History
On a default Arch install, faillock makes it so that if you enter the sudo password wrong too many times, even the correct password will be rejected until the timer is up. At the same time, you ca...
#1: Initial revision
What's the point of faillock?
On a default Arch install, `faillock` makes it so that if you enter the sudo password wrong too many times, even the correct password will be rejected until the timer is up. At the same time, you can type `faillock --reset` **without sudo** and reset the timer. What is the point of this? I can see a dubious security benefit to not giving people too many guesses. But there is already a delay when you type a wrong password, so it's not like they can brute force it. And if your password is so easy that a few guesses are enough... Well, they can just wait 5 minutes and guess anyway. Is there some logic to why it gets set up in this silly way? I know Arch doesn't customize packages, but the author of faillock must have had some kind of reason. Is there some security advantage to enabling this failed password timeout, but leaving `faillock --reset` runnable without knowing the password?