[keycloak-dev] Brute force lock out and password reset error

Bruno Oliveira bruno at abstractj.org
Tue Jul 26 07:34:53 EDT 2016


On 2016-07-26, Joakim Löfgren wrote:
> Hey,
>
> I noticed that if you get your account temporarily locked due to the brute
> force detection then you cannot reset your password until the temporary
> locked has been lifted.
>
> Is this behaviour intended ?

>From what I can tell, this is how it works today and that's intentional.
I think that in order to enable password reset for blocked accounts,
rate limiting for password reset should be introduced, otherwise, an
attacker could try it again.

>
> We've gotten a few users that become confused when they do not receive a
> reset password email, and thus contact us asking for help.
>
>
> Sincerely,
> Joakim

> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


--

abstractj
PGP: 0x84DC9914


More information about the keycloak-dev mailing list