[keycloak-dev] Brute force lock out and password reset error
Joakim Löfgren
joakim.lofgren at gmail.com
Thu Jul 28 03:05:29 EDT 2016
Well everything can be automated, yes.
I'll explain in more detail.
1. Hacker or myself fails to login 3 times
2. Brute force detection temporarily disables my account
3. I enter my email in the reset password form and submit.
4. An email lands in my inbox
5. Account is still temporarily disabled
6. I prove my identity (or at least access to the email account) and click
the reset link in the email
7. Account is unlocked and I get a login session and prompted to update my
password
This prevents someone from continuously trying to hack my account and thus
keeping me locked out of my account.
It also provides a better experience for someone who has just forgotten his
or her password and attempts to login a few too many times.
Just waiting for the account to unlock so the password reset works again
isn't more secure in my mind. Just more tedious.
Thoughts?
On Wed, Jul 27, 2016, 14:16 Bruno Oliveira <bruno at abstractj.org> wrote:
> On 2016-07-27, Joakim Löfgren wrote:
> > Not if you have to click the link in the email for it to be unlocked ?
>
> You know that can be easily automated, right?
>
> >
> > On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno at abstractj.org> wrote:
> >
> > > On 2016-07-26, Joakim Löfgren wrote:
> > > > Hey,
> > > >
> > > > I noticed that if you get your account temporarily locked due to the
> > > brute
> > > > force detection then you cannot reset your password until the
> temporary
> > > > locked has been lifted.
> > > >
> > > > Is this behaviour intended ?
> > >
> > > From what I can tell, this is how it works today and that's
> intentional.
> > > I think that in order to enable password reset for blocked accounts,
> > > rate limiting for password reset should be introduced, otherwise, an
> > > attacker could try it again.
> > >
> > > >
> > > > We've gotten a few users that become confused when they do not
> receive a
> > > > reset password email, and thus contact us asking for help.
> > > >
> > > >
> > > > Sincerely,
> > > > Joakim
> > >
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> > >
> > > --
> > >
> > > abstractj
> > > PGP: 0x84DC9914
> > >
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160728/e495ce08/attachment.html
More information about the keycloak-dev
mailing list