[keycloak-dev] Brute force flow
Bruno Oliveira
bruno at abstractj.org
Thu Mar 3 07:10:47 EST 2016
Good morning, today I was thinking about our brute force flow and was
wondering if we could change it.
I know it's not our job to be a firewall or IDS. At the same time, our
current flow today make passwords guessable for attackers. A successful
login attempt is clearly distinguishable based on the error response.
TL;DR if a password is invalid we get "Invalid username and password", but
if it's valid we get "Account is temporarily disabled, contact admin or try
again later.". Which pretty much means that an attacker could complete the
attack from another machine or later, because now she knows that such
account exists and it's valid.
What I would like to suggest, it's just to remove the error message for
account disabled. This information is relevant for the Keycloak
administrator, but I don't think it's necessary for the final user. People
will contact the admin anyways.
Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160303/d8572d82/attachment.html
More information about the keycloak-dev
mailing list