I agree. IIRC, there already is a reset timer that you can configure.
Can I close this?
On 4/5/2016 9:39 AM, Guus der Kinderen wrote:
When an attacker can trick a valid user into logging in (over and
over
and over) again, resetting that counter upon successful authentication
could expose an attack vector: An attacker brute forces, while
coercing the legitimate user to reset the failed-attempt count. It is
somewhat far-fetched, but not unimaginable. I'd err on the side of
caution. Combining a counter with a time-out value will prevent this
completely.
- Guus
On 5 April 2016 at 13:08, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 05/04/16 09:46, Stian Thorgersen wrote:
> Currently [1] the failed login attempts are not reset on a
> successful login. This could cause a user with bad memory to lock
> the account over time. This can be prevented by setting "Failure
> Reset Time", but is that sufficient. Should we reset the failed
> login attempts on successful login?
I think that yes, I believe that's what most of the web-sites are
doing as well?
Marek
>
> [1]
https://issues.jboss.org/browse/KEYCLOAK-2692
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev