[keycloak-dev] Brute force attack protection

Bill Burke bburke at redhat.com
Fri Mar 14 13:40:15 EDT 2014


The only good way to protect against brute force attacks is CAPTCHA or 
IP Address ACLs.  If you implement a delay, you can just have a 
multi-threaded attack.  If you disable the account after a number of 
failed attempts, then you can have a DoS attack and bring down the whole 
site.



On 3/14/2014 11:49 AM, Bill Burke wrote:
> FYI Working on Brute force login attack protection today.  Last thing
> I'll do until I spend a week on Resteasy.
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list