When an attacker can trick a valid user into logging in (over and over and
over) again, resetting that counter upon successful authentication could
expose an attack vector: An attacker brute forces, while coercing the
legitimate user to reset the failed-attempt count. It is somewhat
far-fetched, but not unimaginable. I'd err on the side of caution.
Combining a counter with a time-out value will prevent this completely.
- Guus
On 5 April 2016 at 13:08, Marek Posolda <mposolda(a)redhat.com> wrote:
On 05/04/16 09:46, Stian Thorgersen wrote:
Currently [1] the failed login attempts are not reset on a successful
login. This could cause a user with bad memory to lock the account over
time. This can be prevented by setting "Failure Reset Time", but is that
sufficient. Should we reset the failed login attempts on successful login?
I think that yes, I believe that's what most of the web-sites are doing as
well?
Marek
[1]
https://issues.jboss.org/browse/KEYCLOAK-2692
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev