<div dir="ltr">Rejected</div><div class="gmail_extra"><br><div class="gmail_quote">On 5 April 2016 at 15:57, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I agree. IIRC, there already is a reset timer that you can
configure. Can I close this?<div><div class="h5"><br>
<br>
<div>On 4/5/2016 9:39 AM, Guus der Kinderen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>When an attacker can trick a valid user into logging in
(over and over and over) again, resetting that counter upon
successful authentication could expose an attack vector: An
attacker brute forces, while coercing the legitimate user to
reset the failed-attempt count. It is somewhat far-fetched,
but not unimaginable. I'd err on the side of caution.
Combining a counter with a time-out value will prevent this
completely.</div>
<div><br>
</div>
<div> - Guus</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 5 April 2016 at 13:08, Marek Posolda
<span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 05/04/16 09:46, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Currently [1] the failed login attempts are not
reset on a successful login. This could cause a user
with bad memory to lock the account over time. This
can be prevented by setting "Failure Reset Time",
but is that sufficient. Should we reset the failed
login attempts on successful login?</div>
</div>
</blockquote>
I think that yes, I believe that's what most of the
web-sites are doing as well?<br>
<br>
Marek<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
[1] <a href="https://issues.jboss.org/browse/KEYCLOAK-2692" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2692</a><br>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
</font></span></div>
<br>_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></blockquote></div><br></div>