[keycloak-dev] Brute force lock out and password reset error
Joakim Löfgren
joakim.lofgren at gmail.com
Wed Jul 27 08:00:14 EDT 2016
Not if you have to click the link in the email for it to be unlocked ?
On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno at abstractj.org> wrote:
> On 2016-07-26, Joakim Löfgren wrote:
> > Hey,
> >
> > I noticed that if you get your account temporarily locked due to the
> brute
> > force detection then you cannot reset your password until the temporary
> > locked has been lifted.
> >
> > Is this behaviour intended ?
>
> From what I can tell, this is how it works today and that's intentional.
> I think that in order to enable password reset for blocked accounts,
> rate limiting for password reset should be introduced, otherwise, an
> attacker could try it again.
>
> >
> > We've gotten a few users that become confused when they do not receive a
> > reset password email, and thus contact us asking for help.
> >
> >
> > Sincerely,
> > Joakim
>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160727/173efa2e/attachment.html
More information about the keycloak-dev
mailing list