[keycloak-dev] Brute force flow

Stian Thorgersen sthorger at redhat.com
Thu Mar 3 07:19:05 EST 2016


+1

On 3 March 2016 at 13:10, Bruno Oliveira <bruno at abstractj.org> wrote:

> Good morning, today I was thinking about our brute force flow and was
> wondering if we could change it.
>
> I know it's not our job to be a firewall or IDS. At the same time, our
> current flow today make passwords guessable for attackers. A successful
> login attempt is clearly distinguishable based on the error response.
>
> TL;DR if a password is invalid we get "Invalid username and password", but
> if it's valid we get "Account is temporarily disabled, contact admin or try
> again later.". Which pretty much means that an attacker could complete the
> attack from another machine or later, because now she knows that such
> account exists and it's valid.
>
> What I would like to suggest, it's just to remove the error message for
> account disabled. This information is relevant for the Keycloak
> administrator, but I don't think it's necessary for the final user. People
> will contact the admin anyways.
>
> Thoughts?
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160303/5b676579/attachment.html 


More information about the keycloak-dev mailing list