Good morning, today I was thinking about our brute force flow and was wondering if we could change it.

I know it's not our job to be a firewall or IDS. At the same time, our current flow today make passwords guessable for attackers. A successful login attempt is clearly distinguishable based on the error response.

TL;DR if a password is invalid we get "Invalid username and password", but if it's valid we get "Account is temporarily disabled, contact admin or try again later.". Which pretty much means that an attacker could complete the attack from another machine or later, because now she knows that such account exists and it's valid.

What I would like to suggest, it's just to remove the error message for account disabled. This information is relevant for the Keycloak administrator, but I don't think it's necessary for the final user. People will contact the admin anyways.

Thoughts?

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev