Bruno - I'm not following why it needs to be rate limited. The attacker would have to have access to the users email to be able to click on the reset password link to unlock the account. However, it would be better to only unlock the account once the password has been updated and not when the link is clicked.

On 29 July 2016 at 10:44, Joakim Löfgren <joakim.lofgren@gmail.com> wrote:

KEYCLOAK-3371


On Thu, Jul 28, 2016, 14:02 Bruno Oliveira <bruno@abstractj.org> wrote:
Hi Joakim,

What you're suggesting makes sense. I'm just trying to say that in
order to have it implemented, we should have a rate limit for password
resets.

Anyways, please file a jira for it.

On 2016-07-28, Joakim Löfgren wrote:
> Well everything can be automated, yes.
>
> I'll explain in more detail.
>
> 1. Hacker or myself fails to login 3 times
> 2. Brute force detection temporarily disables my account
> 3. I enter my email in the reset password form and submit.
> 4. An email lands in my inbox
> 5. Account is still temporarily disabled
> 6. I prove my identity (or at least access to the email account) and click
> the reset link in the email
> 7. Account is unlocked and I get a login session and prompted to update my
> password
>
> This prevents someone from continuously trying to hack my account and thus
> keeping me locked out of my account.
>
> It also provides a better experience for someone who has just forgotten his
> or her password and attempts to login a few too many times.
>
> Just waiting for the account to unlock so the password reset works again
> isn't more secure in my mind. Just more tedious.
>
> Thoughts?
>
> On Wed, Jul 27, 2016, 14:16 Bruno Oliveira <bruno@abstractj.org> wrote:
>
> > On 2016-07-27, Joakim Löfgren wrote:
> > > Not if you have to click the link in the email for it to be unlocked ?
> >
> > You know that can be easily automated, right?
> >
> > >
> > > On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno@abstractj.org> wrote:
> > >
> > > > On 2016-07-26, Joakim Löfgren wrote:
> > > > > Hey,
> > > > >
> > > > > I noticed that if you get your account temporarily locked due to the
> > > > brute
> > > > > force detection then you cannot reset your password until the
> > temporary
> > > > > locked has been lifted.
> > > > >
> > > > > Is this behaviour intended ?
> > > >
> > > > From what I can tell, this is how it works today and that's
> > intentional.
> > > > I think that in order to enable password reset for blocked accounts,
> > > > rate limiting for password reset should be introduced, otherwise, an
> > > > attacker could try it again.
> > > >
> > > > >
> > > > > We've gotten a few users that become confused when they do not
> > receive a
> > > > > reset password email, and thus contact us asking for help.
> > > > >
> > > > >
> > > > > Sincerely,
> > > > > Joakim
> > > >
> > > > > _______________________________________________
> > > > > keycloak-dev mailing list
> > > > > keycloak-dev@lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > >
> > > >
> > > > --
> > > >
> > > > abstractj
> > > > PGP: 0x84DC9914
> > > >
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> >

--

abstractj
PGP: 0x84DC9914

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev