https://bugzilla.novell.com/show_bug.cgi?id=799988 https://bugzilla.novell.com/show_bug.cgi?id=799988#c0 Summary: No Incorrect Password Re-Entry Delay at Konsole (Terminal) Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Macintosh OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: KDE4 Applications AssignedTo: kde-maintainers@suse.de ReportedBy: jane.d.anonymous@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 When an incorrect password is entered at the command line, "Sorry, try again" is displayed immediately, up to a maximum of three consecutive times. This is an easy-to-solve security issue. Reproducible: Always Steps to Reproduce: 1. Open a terminal. 2. Run any command as super user, e.g. "sudo man zypper" 3. Enter an incorrect password for sudo Actual Results: "Sorry, try again" appears immediately, up to a maximum of three times, whence the cycle can be immediately started again. Expected Results: There should be a delay in the error message appearing. Lacking this delay makes brute-force hacking of a system infinitely easier, as millions of incorrect passwords could be tried every minute, rather than the scant few that could be tried with a simple delay. Implementing this delay is common in *nix systems, and should be implemented here. I hesitate to file this as an "Enhancement" bug, as it's really crucial that this kind of straightforward security hole be patched. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.