[keycloak-dev] Should failure count be reset on successful login

Guus der Kinderen guus.der.kinderen at gmail.com
Tue Apr 5 09:39:31 EDT 2016


When an attacker can trick a valid user into logging in (over and over and
over) again, resetting that counter upon successful authentication could
expose an attack vector: An attacker brute forces, while coercing the
legitimate user to reset the failed-attempt count. It is somewhat
far-fetched, but not unimaginable. I'd err on the side of caution.
Combining a counter with a time-out value will prevent this completely.

 - Guus

On 5 April 2016 at 13:08, Marek Posolda <mposolda at redhat.com> wrote:

> On 05/04/16 09:46, Stian Thorgersen wrote:
>
> Currently [1] the failed login attempts are not reset on a successful
> login. This could cause a user with bad memory to lock the account over
> time. This can be prevented by setting "Failure Reset Time", but is that
> sufficient. Should we reset the failed login attempts on successful login?
>
> I think that yes, I believe that's what most of the web-sites are doing as
> well?
>
> Marek
>
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-2692
>
>
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160405/f7a7ec89/attachment.html 


More information about the keycloak-dev mailing list