[keycloak-dev] Should failure count be reset on successful login
Stian Thorgersen
sthorger at redhat.com
Tue Apr 5 10:02:21 EDT 2016
Rejected
On 5 April 2016 at 15:57, Bill Burke <bburke at redhat.com> wrote:
> I agree. IIRC, there already is a reset timer that you can configure.
> Can I close this?
>
>
> On 4/5/2016 9:39 AM, Guus der Kinderen wrote:
>
> When an attacker can trick a valid user into logging in (over and over and
> over) again, resetting that counter upon successful authentication could
> expose an attack vector: An attacker brute forces, while coercing the
> legitimate user to reset the failed-attempt count. It is somewhat
> far-fetched, but not unimaginable. I'd err on the side of caution.
> Combining a counter with a time-out value will prevent this completely.
>
> - Guus
>
> On 5 April 2016 at 13:08, Marek Posolda <mposolda at redhat.com> wrote:
>
>> On 05/04/16 09:46, Stian Thorgersen wrote:
>>
>> Currently [1] the failed login attempts are not reset on a successful
>> login. This could cause a user with bad memory to lock the account over
>> time. This can be prevented by setting "Failure Reset Time", but is that
>> sufficient. Should we reset the failed login attempts on successful login?
>>
>> I think that yes, I believe that's what most of the web-sites are doing
>> as well?
>>
>> Marek
>>
>>
>> [1] https://issues.jboss.org/browse/KEYCLOAK-2692
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160405/856707e5/attachment.html
More information about the keycloak-dev
mailing list