It's always annoyed me how people set the lockout after n attempts value to ~3 or 4. Why not 100? It makes almost no difference in your chances at brute forcing a password, but means that the real user trying all the passwords they might have used won't get locked out mid way.
If you type a wrong password in "su" on OpenBSD, the binary responds immediately telling me I'm wrong. On Linux, it does this stupid artificial 3 second penalty.
The Linux way sounds better, but the OpenBSD way is better. If you want people to use passwords, don't do petty nagging of them when they make a mistake.
On Linux when I mistype a password, I control-Z the "su" session and launch a new one instead of sitting around like a scolded schoolboy waiting for the binary to give me another chance.
> It makes almost no difference in your chances at brute forcing a password
Depends on how many people use a password in the top 100 most common vs. how many use one in the top 3. I would think it would be a sizeable difference.
