This is per design. It knows fairly quickly that you entered the wrong password. However if it just gave you the option to type the password again as soon as possible it would allow someone else to continuously guess passwords. To prevent this there is a built inn delay in the password checking so that you can not type passwords too fast.

In addition to timing attacks etc, windows does a thing where you login using your Microsoft account. AFAIK it caches the correct password hash locally, so when you enter the correct password it knows immediately and logs you in.

But what if you changed your password and that locally cached one is now out of date? When you enter a “wrong” password, it contacts Microsoft’s servers to see if the password has changed and, if so, whether the one you entered matches the new one. So there’s a natural delay while that happens.

Say you use your Microsoft account to log into your computer. This lets you do stuff like change your password using your online account in case you forget it, then access your computer with the new password.

Well normally Windows already knows your “current” password so you can log in quickly, and log in without internet access.

But if you enter the wrong password, it goes online to check with Microsoft whether the one you entered was right— the computer thinks it’s wrong, but maybe you changed it, and this is actually your new password.

For technical reasons, it is a security risk for Microsoft to *transmit the password to the computer* so your computer can’t know if it’s changed or what it is without checking with Microsoft each time, they just respond with “right” or “wrong”. But when you’re entering a password the computer *already knows is right* — the same one you used before or one you just set on your Microsoft account— after it confirms this one is correct, it will be faster in the future.

It takes longer and longer for it to tell you that you entered to wrong password the more attmpts you have made, its a design choice like that phones phones that lock the device when you try too many times, Windows does the same but is a bit more subtle about it

Top voted answer ~~is~~ was wrong I’m afraid.

It’s a nice theory that it takes time to verify the password with an online server, but:

1) In 2020 that shouldn’t take more than a few miliseconds. Even if you’re on very bad internet.

2) Not all windows accounts are in the cloud. You can have a local account as well and it will show the same behaviour

3) This behaviour also exists in many Linux-greeters (for example the one in Ubuntu also has this delay), and here usually you won’t have a password that needs to be checked by a server.

So now for the answer:
It’s what has been mentioned before: it’s to prevent people from making several guesses in a row (doesn’t have to be a brute force, people can also guess manually for frequently used passwords).

Microsoft also claims on their blog that it’s to prevent dictionary attacks, contrary to what people claim in the comments below this post.

Hey used to work as a Systems Engineer for Microsoft so I’ll give this a try.

This tech is pretty much the same at its core since Windows 2000 and although things have changed with Windows 10, in this aspect they still use the same old tech, so the behaviour is the same in so many Windows versions.

When a user is prompted to login on Windows they see what’s called GINA or Graphical Interface for Name Authentication (gina.dll). This is the username-password prompt that comes up when you press ctrl+alt+delete.

What GINA does is take what you typed as a password for this user and compare it to the hash of that user’s actual password that’s stored in your computer’s LSASS (local security authority subsystem) database.

So the first time you type your password, GINA checks with a database that’s on your system to see if you have the password correct. This takes only milliseconds so it’s very fast.

Now if you have previously logged on this pc correctly, there should be a “hash” of your password stored locally and you’re in. If however you haven’t logged in recently or you typed the password incorrectly, GINA now needs to make sure that she has the correct password in her LSASS database – afterall, you might have changed your password since the last time you used it on this computer – so she needs to go check to make sure she has the correct password.

This invokes another process that checks to see if you happen to have an account on some other computer on the network, typically in work environments this would be another computer called an Active Directory Domain Controller Server or in our days on some server on the Cloud.

This additional step requires the computer to send a receive information from your network, and this takes some seconds to execute (can take up to 120sec if you have network issues).

So compare the milliseconds that it takes to confirm the password you typed vs the “hash” that’s stored locally and the seconds it takes to double-check the information from the available networks when your password doesn’t match.

Hope it’s clear enough, feel free to ask anything additional if I can explain it bit better.

This is a technique called “tarpitting”. It slows down failed attempts to make brute force hacking harder. Brute force hacking can be very effective. But by its nature it has to try a lot of variants of user and password. Image for a second that this tarpitting never happened. It could blaze thru attempts until it found the name of your first childhood pet followed by an eclaimation mark. Considering It’s no big deal to perform hundreds of thousands of attempts per second (all depending on hardware) it’s only a matter of TIME before its cracked. Now if you slow it down painfully so it take a few seconds, it’s a minor inconvenience to a real human, but makes it almost impossible for brute force attacks. All that being said, even with tarpitting, it’s only a matter of time. Pick good passwords mkay?

You know how some websites will lock you out after trying your password (and failing) after so many tries?

Well it’s actually very common to do other things too, especially with something like your computer login where just locking you out is not a real option. There is no ‘forgot password’ link for your laptop.

One of the things they can do is add an artificial delay before telling the person they failed.

This has a few benefits.

One of them is that the delay protects against people (or bots) trying to brute force guess. Sometimes the delay is increased with each wrong answer. This can make it frustrating (to humans) or make guessing take way too long for bots. You can’t try every word in the dictionary if it takes a year to do guess them all.

The delay can also be useful to try and provide a smoke screen against intelligent guessing. There have been cases where people have been able to use the duration (how long it takes for the password to fail) to help shed light on the authentication process itself. For example you might be able to tell that the password isn’t encrypted very strong if the computer is able to tell in a microsecond that your password is wrong. There are more examples of this. So it’s common for people to inject delays just to make it fuzzy.

And the ELI5 for this example:

If you ask someone if they like you, and they pause for a while and then say “yes”. Then you can glean some information about their answer. Maybe they don’t really like you at all because of the pause I their answer.

Your computer doesn’t want you to be able to read between any lines like this, so they add delays (sometimes variable delays).

[deleted]