[keycloak-dev] Brute force lock out and password reset error
Joakim Löfgren
joakim.lofgren at gmail.com
Fri Jul 29 04:44:51 EDT 2016
KEYCLOAK-3371
On Thu, Jul 28, 2016, 14:02 Bruno Oliveira <bruno at abstractj.org> wrote:
> Hi Joakim,
>
> What you're suggesting makes sense. I'm just trying to say that in
> order to have it implemented, we should have a rate limit for password
> resets.
>
> Anyways, please file a jira for it.
>
> On 2016-07-28, Joakim Löfgren wrote:
> > Well everything can be automated, yes.
> >
> > I'll explain in more detail.
> >
> > 1. Hacker or myself fails to login 3 times
> > 2. Brute force detection temporarily disables my account
> > 3. I enter my email in the reset password form and submit.
> > 4. An email lands in my inbox
> > 5. Account is still temporarily disabled
> > 6. I prove my identity (or at least access to the email account) and
> click
> > the reset link in the email
> > 7. Account is unlocked and I get a login session and prompted to update
> my
> > password
> >
> > This prevents someone from continuously trying to hack my account and
> thus
> > keeping me locked out of my account.
> >
> > It also provides a better experience for someone who has just forgotten
> his
> > or her password and attempts to login a few too many times.
> >
> > Just waiting for the account to unlock so the password reset works again
> > isn't more secure in my mind. Just more tedious.
> >
> > Thoughts?
> >
> > On Wed, Jul 27, 2016, 14:16 Bruno Oliveira <bruno at abstractj.org> wrote:
> >
> > > On 2016-07-27, Joakim Löfgren wrote:
> > > > Not if you have to click the link in the email for it to be unlocked
> ?
> > >
> > > You know that can be easily automated, right?
> > >
> > > >
> > > > On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <bruno at abstractj.org>
> wrote:
> > > >
> > > > > On 2016-07-26, Joakim Löfgren wrote:
> > > > > > Hey,
> > > > > >
> > > > > > I noticed that if you get your account temporarily locked due to
> the
> > > > > brute
> > > > > > force detection then you cannot reset your password until the
> > > temporary
> > > > > > locked has been lifted.
> > > > > >
> > > > > > Is this behaviour intended ?
> > > > >
> > > > > From what I can tell, this is how it works today and that's
> > > intentional.
> > > > > I think that in order to enable password reset for blocked
> accounts,
> > > > > rate limiting for password reset should be introduced, otherwise,
> an
> > > > > attacker could try it again.
> > > > >
> > > > > >
> > > > > > We've gotten a few users that become confused when they do not
> > > receive a
> > > > > > reset password email, and thus contact us asking for help.
> > > > > >
> > > > > >
> > > > > > Sincerely,
> > > > > > Joakim
> > > > >
> > > > > > _______________________________________________
> > > > > > keycloak-dev mailing list
> > > > > > keycloak-dev at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > abstractj
> > > > > PGP: 0x84DC9914
> > > > >
> > >
> > > --
> > >
> > > abstractj
> > > PGP: 0x84DC9914
> > >
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160729/353090a3/attachment.html
More information about the keycloak-dev
mailing list