[keycloak-dev] Brute force attack protection
Stian Thorgersen
stian at redhat.com
Mon Mar 17 10:23:42 EDT 2014
Another thing, if someone really want to brute-force a specific account and they have a botnet of 100K+ machines, a simple sleep of a few seconds isn't going to stop them. I think the only way of doing that is to lock the account after N attempts.
----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 17 March, 2014 2:13:13 PM
> Subject: Re: [keycloak-dev] Brute force attack protection
>
> For a single user yes. Is that a big problem though?
>
> If you sleep on the server you'd be able to do a DoS on the whole server
> (even if async) with a single machine.
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Monday, 17 March, 2014 2:06:43 PM
> > Subject: Re: [keycloak-dev] Brute force attack protection
> >
> >
> >
> > On 3/17/2014 9:54 AM, Stian Thorgersen wrote:
> > > We could do the sleep on the client side. We'd set a flag on the account
> > > saying it's disabled until some time in the future. If an account is
> > > locked we can display a page that says wait N seconds (or something), and
> > > after N seconds redirect redirect to login form using meta refresh.
> > >
> >
> > This creates a very easy DoS opportunity.
> >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list