How the Windows password works and why when we type a wrong one it takes more time to login

It may have happened that you entered the wrong password on Windows (XP/7/8/10…) and noticed that the computer took longer to retry the input field. 

Many will have wondered why when you enter the correct password the PC recognizes it immediately, while it remains in a sort of semi-stall otherwise.


Some may have thought that the computer needs to do more calculations to verify the ‘wrong’ password, but it doesn’t. 

The instructions that the PC performs to verify passwords are always the same: it performs a hash between the entered key and the previously stored key. 

The storage in the system of the initial password is not in ‘plain text’ (readable text), instead a Hash OWF (complexity problem class NP) is executed and stored in a string for security reasons (it will not be possible to trace the password entered even with this string in hand). 

When you go to enter the password to access, the PC performs a new Hash conversion and compares the new string with the one initially saved. 

 If there is a match, let it access the desktop, otherwise it will retry the input field. 


But if it performs the same calculations, why does it take longer when you make a mistake? 

It’s a security measure: by imposing a short delay in case of failure, you can avoid brute force attacks (in short, those who try all the passwords to find the right one), as even just 5 seconds of waiting would increase such attacks from years to decades more to be completed. 

The generic name for this behavior is tarpitting. 

Concept initially used in the release of accesses for network devices, now extended to many other applications. 

Here is an in-depth explanation. 

Share on Social Media