<p dir="ltr">KEYCLOAK-3371</p>
<br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 28, 2016, 14:02 Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Joakim,<br>
<br>
What you're suggesting makes sense. I'm just trying to say that in<br>
order to have it implemented, we should have a rate limit for password<br>
resets.<br>
<br>
Anyways, please file a jira for it.<br>
<br>
On 2016-07-28, Joakim Löfgren wrote:<br>
> Well everything can be automated, yes.<br>
><br>
> I'll explain in more detail.<br>
><br>
> 1. Hacker or myself fails to login 3 times<br>
> 2. Brute force detection temporarily disables my account<br>
> 3. I enter my email in the reset password form and submit.<br>
> 4. An email lands in my inbox<br>
> 5. Account is still temporarily disabled<br>
> 6. I prove my identity (or at least access to the email account) and click<br>
> the reset link in the email<br>
> 7. Account is unlocked and I get a login session and prompted to update my<br>
> password<br>
><br>
> This prevents someone from continuously trying to hack my account and thus<br>
> keeping me locked out of my account.<br>
><br>
> It also provides a better experience for someone who has just forgotten his<br>
> or her password and attempts to login a few too many times.<br>
><br>
> Just waiting for the account to unlock so the password reset works again<br>
> isn't more secure in my mind. Just more tedious.<br>
><br>
> Thoughts?<br>
><br>
> On Wed, Jul 27, 2016, 14:16 Bruno Oliveira <<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>> wrote:<br>
><br>
> > On 2016-07-27, Joakim Löfgren wrote:<br>
> > > Not if you have to click the link in the email for it to be unlocked ?<br>
> ><br>
> > You know that can be easily automated, right?<br>
> ><br>
> > ><br>
> > > On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>> wrote:<br>
> > ><br>
> > > > On 2016-07-26, Joakim Löfgren wrote:<br>
> > > > > Hey,<br>
> > > > ><br>
> > > > > I noticed that if you get your account temporarily locked due to the<br>
> > > > brute<br>
> > > > > force detection then you cannot reset your password until the<br>
> > temporary<br>
> > > > > locked has been lifted.<br>
> > > > ><br>
> > > > > Is this behaviour intended ?<br>
> > > ><br>
> > > > From what I can tell, this is how it works today and that's<br>
> > intentional.<br>
> > > > I think that in order to enable password reset for blocked accounts,<br>
> > > > rate limiting for password reset should be introduced, otherwise, an<br>
> > > > attacker could try it again.<br>
> > > ><br>
> > > > ><br>
> > > > > We've gotten a few users that become confused when they do not<br>
> > receive a<br>
> > > > > reset password email, and thus contact us asking for help.<br>
> > > > ><br>
> > > > ><br>
> > > > > Sincerely,<br>
> > > > > Joakim<br>
> > > ><br>
> > > > > _______________________________________________<br>
> > > > > keycloak-dev mailing list<br>
> > > > > <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> > > > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
> > > ><br>
> > > ><br>
> > > > --<br>
> > > ><br>
> > > > abstractj<br>
> > > > PGP: 0x84DC9914<br>
> > > ><br>
> ><br>
> > --<br>
> ><br>
> > abstractj<br>
> > PGP: 0x84DC9914<br>
> ><br>
<br>
--<br>
<br>
abstractj<br>
PGP: 0x84DC9914<br>
</blockquote></div>