[keycloak-dev] Brute force lock out and password reset error
Stian Thorgersen
sthorger at redhat.com
Mon Aug 15 07:11:19 EDT 2016
Bruno - I'm not following why it needs to be rate limited. The attacker
would have to have access to the users email to be able to click on the
reset password link to unlock the account. However, it would be better to
only unlock the account once the password has been updated and not when the
link is clicked.
On 29 July 2016 at 10:44, Joakim Löfgren <joakim.lofgren at gmail.com> wrote:
> KEYCLOAK-3371
>
> On Thu, Jul 28, 2016, 14:02 Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> Hi Joakim,
>>
>> What you're suggesting makes sense. I'm just trying to say that in
>> order to have it implemented, we should have a rate limit for password
>> resets.
>>
>> Anyways, please file a jira for it.
>>
>> On 2016-07-28, Joakim Löfgren wrote:
>> > Well everything can be automated, yes.
>> >
>> > I'll explain in more detail.
>> >
>> > 1. Hacker or myself fails to login 3 times
>> > 2. Brute force detection temporarily disables my account
>> > 3. I enter my email in the reset password form and submit.
>> > 4. An email lands in my inbox
>> > 5. Account is still temporarily disabled
>> > 6. I prove my identity (or at least access to the email account) and
>> click
>> > the reset link in the email
>> > 7. Account is unlocked and I get a login session and prompted to update
>> my
>> > password
>> >
>> > This prevents someone from continuously trying to hack my account and
>> thus
>> > keeping me locked out of my account.
>> >
>> > It also provides a better experience for someone who has just forgotten
>> his
>> > or her password and attempts to login a few too many times.
>> >
>> > Just waiting for the account to unlock so the password reset works again
>> > isn't more secure in my mind. Just more tedious.
>> >
>> > Thoughts?
>> >
>> > On Wed, Jul 27, 2016, 14:16 Bruno Oliveira <bruno at abstractj.org> wrote:
>> >
>> > > On 2016-07-27, Joakim Löfgren wrote:
>> > > > Not if you have to click the link in the email for it to be
>> unlocked ?
>> > >
>> > > You know that can be easily automated, right?
>> > >
>> > > >
>> > > > On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno at abstractj.org>
>> wrote:
>> > > >
>> > > > > On 2016-07-26, Joakim Löfgren wrote:
>> > > > > > Hey,
>> > > > > >
>> > > > > > I noticed that if you get your account temporarily locked due
>> to the
>> > > > > brute
>> > > > > > force detection then you cannot reset your password until the
>> > > temporary
>> > > > > > locked has been lifted.
>> > > > > >
>> > > > > > Is this behaviour intended ?
>> > > > >
>> > > > > From what I can tell, this is how it works today and that's
>> > > intentional.
>> > > > > I think that in order to enable password reset for blocked
>> accounts,
>> > > > > rate limiting for password reset should be introduced, otherwise,
>> an
>> > > > > attacker could try it again.
>> > > > >
>> > > > > >
>> > > > > > We've gotten a few users that become confused when they do not
>> > > receive a
>> > > > > > reset password email, and thus contact us asking for help.
>> > > > > >
>> > > > > >
>> > > > > > Sincerely,
>> > > > > > Joakim
>> > > > >
>> > > > > > _______________________________________________
>> > > > > > keycloak-dev mailing list
>> > > > > > keycloak-dev at lists.jboss.org
>> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > > > >
>> > > > >
>> > > > > --
>> > > > >
>> > > > > abstractj
>> > > > > PGP: 0x84DC9914
>> > > > >
>> > >
>> > > --
>> > >
>> > > abstractj
>> > > PGP: 0x84DC9914
>> > >
>>
>> --
>>
>> abstractj
>> PGP: 0x84DC9914
>>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160815/3eb354ac/attachment.html
More information about the keycloak-dev
mailing list