On 3 March 2016 at 13:10, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Good morning, today I was thinking about our brute force flow and
wondering if we could change it.
I know it's not our job to be a firewall or IDS. At the same time, our
current flow today make passwords guessable for attackers. A successful
login attempt is clearly distinguishable based on the error response.
TL;DR if a password is invalid we get "Invalid username and password", but
if it's valid we get "Account is temporarily disabled, contact admin or try
again later.". Which pretty much means that an attacker could complete the
attack from another machine or later, because now she knows that such
account exists and it's valid.
What I would like to suggest, it's just to remove the error message for
account disabled. This information is relevant for the Keycloak
administrator, but I don't think it's necessary for the final user. People
will contact the admin anyways.
keycloak-dev mailing list