[keycloak-dev] Should failure count be reset on successful login

Bill Burke bburke at redhat.com
Tue Apr 5 09:57:31 EDT 2016 

I agree.  IIRC, there already is a reset timer that you can configure.  
Can I close this?

On 4/5/2016 9:39 AM, Guus der Kinderen wrote:
> When an attacker can trick a valid user into logging in (over and over 
> and over) again, resetting that counter upon successful authentication 
> could expose an attack vector: An attacker brute forces, while 
> coercing the legitimate user to reset the failed-attempt count. It is 
> somewhat far-fetched, but not unimaginable. I'd err on the side of 
> caution. Combining a counter with a time-out value will prevent this 
> completely.
>
>  - Guus
>
> On 5 April 2016 at 13:08, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 05/04/16 09:46, Stian Thorgersen wrote:
>>     Currently [1] the failed login attempts are not reset on a
>>     successful login. This could cause a user with bad memory to lock
>>     the account over time. This can be prevented by setting "Failure
>>     Reset Time", but is that sufficient. Should we reset the failed
>>     login attempts on successful login?
>     I think that yes, I believe that's what most of the web-sites are
>     doing as well?
>
>     Marek
>>
>>     [1] https://issues.jboss.org/browse/KEYCLOAK-2692
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-dev mailing list
>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160405/96a85f4c/attachment.html

More information about the keycloak-dev mailing list