[keycloak-dev] Brute force lock out and password reset error
Bruno Oliveira
bruno at abstractj.org
Wed Jul 27 08:16:55 EDT 2016
On 2016-07-27, Joakim Löfgren wrote:
> Not if you have to click the link in the email for it to be unlocked ?
You know that can be easily automated, right?
>
> On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno at abstractj.org> wrote:
>
> > On 2016-07-26, Joakim Löfgren wrote:
> > > Hey,
> > >
> > > I noticed that if you get your account temporarily locked due to the
> > brute
> > > force detection then you cannot reset your password until the temporary
> > > locked has been lifted.
> > >
> > > Is this behaviour intended ?
> >
> > From what I can tell, this is how it works today and that's intentional.
> > I think that in order to enable password reset for blocked accounts,
> > rate limiting for password reset should be introduced, otherwise, an
> > attacker could try it again.
> >
> > >
> > > We've gotten a few users that become confused when they do not receive a
> > > reset password email, and thus contact us asking for help.
> > >
> > >
> > > Sincerely,
> > > Joakim
> >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> >
--
abstractj
PGP: 0x84DC9914
More information about the keycloak-dev
mailing list