Adding my opinions on this
On 5 February 2018 at 13:01, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
Hi,
please help me clarify the expected behaviour of brute force protection. I
read the documentation [1] but I am still not 100% sure about it. I'm more
after intention rather than actual implementation.
1) When should the Failure Reset Time apply? After the first or after last
failed attempt?
Last failed attempt - it's safer this way
2) Should failed login attempts counter be cleared after the first
successful login or only after failure reset time regardless of the
successful login?
Only after failure rest time - If there's an ongoing targeted attack on a
specific account this is important, otherwise an attacker would get new
attempts every time the user authenticates (which could be predicted, for
instance 9am every day)
3) Should login failures be counted while the account is locked?
No - I don't think this has any impact on safety and would have negative
effects for the user (most users will type the password again to check)
4) Should unlocking account in admin console reset login failures counter?
Yes - would be good to have a way to show the count in the admin console
though
In other words, what is expected behaviour of the following scenarios
(questions are in items marked with Q ->)? I intentionally don't suggest
any correct answer below myself.
Setup:
- Permanent lockout: Off
- Max Lock time: 15 mins
- Wait Time Increment: 1 min
- Failure Reset Time: 30 mins
= Scenario 1 =
1.1) User locks its account
1.2) Another 3 immediate failed login attempts while account is blocked
*Q -> *1.3) Check that after (1 or 3?) minutes the account is unlocked
= Scenario 2 =
2.1) User locks its account
2.2) Wait until account is unlocked (should be 1x Wait Time Increment)
2.3) Then do another one failed login attempt.
*Q -> *2.4) Should the account be locked now or only after next Max Login
Failures?
*Q -> *2.5) Wait until account is unlocked (should be 1x or 2x Wait Time
Increment?)
2.6) Then fail another one login attempt
*Q -> *2.7) Wait until account is unlocked (should be 1x or 3x Wait Time
Increment?)
*Q -> *2.8) Wait Failure Reset Time (since first or last failed attempt?)
2.9) Validate that the user can again lock themselves out only after Max
Login Failures failed login attempts.
= Scenario 3 =
3.1) User locks its account
3.2) Another 20 failed immediate login attempts while account is blocked
*Q -> *3.3) Check that after (1 or 15?) minutes the account is unlocked
(Max Lock time is 15 mins)
Thanks
--Hynek
[1]
http://www.keycloak.org/docs/latest/server_admin/index.
html#password-guess-brute-force-attacks
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev