When an attacker can trick a valid user into logging in (over and over and over) again, resetting that counter upon successful authentication could expose an attack vector: An attacker brute forces, while coercing the legitimate user to reset the failed-attempt count. It is somewhat far-fetched, but not unimaginable. I'd err on the side of caution. Combining a counter with a time-out value will prevent this completely.
- Guus
On 5 April 2016 at 13:08, Marek Posolda <mposolda@redhat.com> wrote:
On 05/04/16 09:46, Stian Thorgersen wrote:
I think that yes, I believe that's what most of the web-sites are doing as well?Currently [1] the failed login attempts are not reset on a successful login. This could cause a user with bad memory to lock the account over time. This can be prevented by setting "Failure Reset Time", but is that sufficient. Should we reset the failed login attempts on successful login?
Marek
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev
-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com