[keycloak-user] Is Brute Force Detection Extensible or can be Customized?

Deepu Laghuvaram deepu.laghuvaram at gmail.com
Mon Jan 16 21:26:55 EST 2017 

I do agree with you on both the points, but in our current functionality we
display as such for locked user and I think we do show that user is
existing in registration as well. And we want to continue using it.
Appreciated if any solution is available.

And coming to storing failed login attempts in database, its solving two
issues, one is we would be following current approach itself (where we
store them in database) and second is the failed login attempts would not
be lost on server restarts. As per this
<http://lists.jboss.org/pipermail/keycloak-user/2015-December/004000.html>,
"You can also increase the number of owners for the cache which will mean
that login failures will survive a single node restart." But I dont know
how to increase the number of owners for cache and as per me I thought
persisting the attempts would be the better solution.

Thanks,
Raghu



On Mon, Jan 16, 2017 at 4:29 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> On 2017-01-13, Deepu Laghuvaram wrote:
> > Our current functionality is that if the user provides wrong password
> for 5
> > times or more then we want to display on the login page itself that the
> > user is locked out and they have to reset the password (User is Locked
> > until they reset password) I am trying to achieve the same functionality
> in
> > KeyCloak. Is it possible?
>
> I don't think it's possible today. By doing that you would be creating a
> loophole for login. If you displaythat user is locked out,
> attackers could verify that such user exists. See User enumeration
> details[1].
>
> >
> > And as of now the failed login attempts count is in our Database and I
> want
> > to make Brute Force Detection to be based on the failed login attempts
> from
> > my database and update the failed login attempts to my DB, basically
> > combining Brute Force Detection and Custom UserStorageProvider to achieve
> > both the functionalities?
>
> I never tried that and not sure if it's possible. But store failed
> attempts into the database, depending on the volume of your requests,
> can be a bit slow.
>
>
> [1] - https://www.owasp.org/index.php/Testing_for_User_
> Enumeration_and_Guessable_User_Account_(OWASP-AT-002)
> >
> >
> > Thanks,
> > Deepu
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

More information about the keycloak-user mailing list