[pkg-cryptsetup-devel] Bug#857780: cryptsetup: After 3 wrong tries user forced to wait 60 seconds
Igor
qazjap11 at gmail.com
Tue Mar 14 20:56:37 UTC 2017
Package: cryptsetup
Version: 2:1.7.3-3
Severity: normal
Dear Maintainer,
At /usr/share/initramfs-tools/scripts/local-top/cryptroot there is the following piece of code:
failsleep=60 # make configurable later?
if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge $crypttries ]; then
message "cryptsetup ($crypttarget): maximum number of tries exceeded"
message "cryptsetup: going to sleep for $failsleep seconds..."
sleep $failsleep
exit 1
fi
Cryptsetup is designed to resist a multimillion brute force attack, having the whole hard disk and a lot of time, thus I can't see how limiting user input at 3 tries/minute would improve the security, rather than annoy users.
If one has a weak password that that limit would save it from being cracked, he does not use disk encryption correctly, and probably simply needs a GRUB password or something like that.
Mistakenly I have reported this bug to upstream first: https://gitlab.com/cryptsetup/cryptsetup/issues/311
Sincerely,
Semion
More information about the pkg-cryptsetup-devel
mailing list