Why is OS X so slow at verifying a wrong password at sign-in?

Question

When I type my password in on OSX, if it is correct it will sign me in almost instantly. If the password is wrong, it spins for several seconds, then fails to login. Why is it so slow to verify my password?

zekrioca · Accepted Answer

It is not really OSX, but PAM [1]. And one can understand why when looking at this Stackexchange answer [2]:
> This is a security thing, it's not actually taking long to realize it. 2 vulnerabilities this solves:
> 1. this throttles login attempts, meaning someone can't pound the system as fast as it can go trying to crack it (1M attempts a sec? I don't know).
> 2. If it did it as soon as it verified your credentials were incorrect, you could use the amount of time it took for it to invalidate your credentials to help guess if part of your credentials were correct, dramatically reducing the guessing time.
[1] https://en.wikipedia.org/wiki/Pluggable_authentication_modul...
[2] https://unix.stackexchange.com/questions/2126/why-is-there-a...

landa · Answer

As far as I'm aware, there's an attack where you can determine how correct a password is based on how long it takes to get denied. For example, take a simple algorithm where you check the password character by character, and return as soon as you encounter a bad character. This means you can detect a subset of a correct password.

aborsy · Answer

It&rsquo;s a feature, to slow down brute force attacks!