[keycloak-dev] Brute force attack protection
Bill Burke
bburke at redhat.com
Mon Mar 17 10:06:43 EDT 2014
On 3/17/2014 9:54 AM, Stian Thorgersen wrote:
> We could do the sleep on the client side. We'd set a flag on the account saying it's disabled until some time in the future. If an account is locked we can display a page that says wait N seconds (or something), and after N seconds redirect redirect to login form using meta refresh.
>
This creates a very easy DoS opportunity.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list