On 2016-07-27, Joakim Löfgren wrote:
Not if you have to click the link in the email for it to be unlocked
?
You know that can be easily automated, right?
On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno(a)abstractj.org> wrote:
> On 2016-07-26, Joakim Löfgren wrote:
> > Hey,
> >
> > I noticed that if you get your account temporarily locked due to the
> brute
> > force detection then you cannot reset your password until the temporary
> > locked has been lifted.
> >
> > Is this behaviour intended ?
>
> From what I can tell, this is how it works today and that's intentional.
> I think that in order to enable password reset for blocked accounts,
> rate limiting for password reset should be introduced, otherwise, an
> attacker could try it again.
>
> >
> > We've gotten a few users that become confused when they do not receive a
> > reset password email, and thus contact us asking for help.
> >
> >
> > Sincerely,
> > Joakim
>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
--
abstractj
PGP: 0x84DC9914