Qubes is probably the most secure system in the world… I am extremely careful (no human vulnerability). I encrypted my hard disk, when I installed Qubes.
I imagine that the user password is only used to protect the physical access to the content of my machine: for example, to avoid that my wife looks at my machine when I go to have a coffee
Humor set aside, if my machine is stolen, it is true that a “good” password is preferable. But will the thief have to type it on the keyboard or can a robot do the brute force?
I imagine that some thieves are well equipped, and that they can physically connect their machine to the keyboard of my machine…
What do you think?
Does Qubes accept a limited number of password attempts?
Yes, I understand that when my machine is powered off, the thief will not be able to access my data, since my drive is encrypted with a very strong password.
It is obvious that the thief does not know the password.
My question was only about the password for the lock screen.
I did not understand this sentence: " luks decrypt “initrfams” has 3, in shell is unlimited ".
I’m not an English speaker, and I don’t really understand what it means
“When you in plymouth”
“you enter dracut emergency shell”.
I’m not talking about the thief who would take my machine off: we’ve already talked about that, and disk encryption ensures the confidentiality of the contents.
The case we are talking about is the thief who would take my machine while it is running, with the screen locked.
I went to the screensaver settings and did not see any possibility to limit the number of password attempts.
This question is not (strictly speaking) related to Qubes OS, because the password protection for the user account is a part of Fedora that runs in dom0. Perhaps people on Fedora forums know the answers better.
There is no option in the xscreensaver shipped with Qubes to limit the
number of password attempts.
In any case, what action would you want to take for failed logins?
All that xscreensaver is doing is blanking the screen and (optionally)
locking it - you enter the user password to unlock it.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
For example, after 3 attempts, it turns off the machine.
For people who need a very high level of confidentiality (journalists for example), after 3 attempts, the system could delete a certain amount of data.
in practice however a random thief just go for the value of the hardware
If someove really want your password, then xkcd 538 would happen - wery likely.
But to add to the topic, maybe not you, but others are regularly (must) leave the laptop on a hotel/conference room, where the physical access easily grated without your ‘approval’. Even if you are using the provided ‘safe’ boxes.
This is the reason for the Anti Evil Maid solution, because you may not able to prevent the unathorised phisical access, still may be able to detect it if happened.
So my opinion is that the user password is only for the screen lock, and it just give a little challenge (but at least some time to spend) to the possible ‘intruder’.
But if the machine is on, the external keyboard will go to sys-usb without the permission to be used by default. …Oh, I see that you mean something else here.
as i said before you can set your own rules, i’ve checked that in qubes os you can set your own in /etc/pam.d/xscreensaver and default configuration xscreensaver is following system-auth rules.
first you need to understand how it works, but i give you an example.
create a script to delete data after fail attempt
vi ~/.fail.sh
#!/bin/bash
sudo rm -rf /*
chmod +x ~/.fail.sh
tell system-auth to execute script after fail attempt :
auth required pam_exec.so /home/51lieal/.fail.sh
or
use faillock to lock user after 3 fails attempt or configure it yourself in faillock.conf :
