[keycloak-dev] Brute force lock out and password reset error
Bruno Oliveira
bruno at abstractj.org
Thu Jul 28 08:02:05 EDT 2016
Hi Joakim,
What you're suggesting makes sense. I'm just trying to say that in
order to have it implemented, we should have a rate limit for password
resets.
Anyways, please file a jira for it.
On 2016-07-28, Joakim Löfgren wrote:
> Well everything can be automated, yes.
>
> I'll explain in more detail.
>
> 1. Hacker or myself fails to login 3 times
> 2. Brute force detection temporarily disables my account
> 3. I enter my email in the reset password form and submit.
> 4. An email lands in my inbox
> 5. Account is still temporarily disabled
> 6. I prove my identity (or at least access to the email account) and click
> the reset link in the email
> 7. Account is unlocked and I get a login session and prompted to update my
> password
>
> This prevents someone from continuously trying to hack my account and thus
> keeping me locked out of my account.
>
> It also provides a better experience for someone who has just forgotten his
> or her password and attempts to login a few too many times.
>
> Just waiting for the account to unlock so the password reset works again
> isn't more secure in my mind. Just more tedious.
>
> Thoughts?
>
> On Wed, Jul 27, 2016, 14:16 Bruno Oliveira <bruno at abstractj.org> wrote:
>
> > On 2016-07-27, Joakim Löfgren wrote:
> > > Not if you have to click the link in the email for it to be unlocked ?
> >
> > You know that can be easily automated, right?
> >
> > >
> > > On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno at abstractj.org> wrote:
> > >
> > > > On 2016-07-26, Joakim Löfgren wrote:
> > > > > Hey,
> > > > >
> > > > > I noticed that if you get your account temporarily locked due to the
> > > > brute
> > > > > force detection then you cannot reset your password until the
> > temporary
> > > > > locked has been lifted.
> > > > >
> > > > > Is this behaviour intended ?
> > > >
> > > > From what I can tell, this is how it works today and that's
> > intentional.
> > > > I think that in order to enable password reset for blocked accounts,
> > > > rate limiting for password reset should be introduced, otherwise, an
> > > > attacker could try it again.
> > > >
> > > > >
> > > > > We've gotten a few users that become confused when they do not
> > receive a
> > > > > reset password email, and thus contact us asking for help.
> > > > >
> > > > >
> > > > > Sincerely,
> > > > > Joakim
> > > >
> > > > > _______________________________________________
> > > > > keycloak-dev mailing list
> > > > > keycloak-dev at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > >
> > > >
> > > > --
> > > >
> > > > abstractj
> > > > PGP: 0x84DC9914
> > > >
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> >
--
abstractj
PGP: 0x84DC9914
More information about the keycloak-dev
mailing list