[keycloak-dev] https://github.com/keycloak/keycloak/pull/4952

Bill Burke bburke at redhat.com
Fri Apr 6 11:00:38 EDT 2018


Including keycloak-dev

Anybody have a link to the old email thread?  IIRC, there was a JIRA
that stated how it easy it was for an actual user (not an attacker) to
become locked out forever.

1. set max retries to 3
2. user enters in wrong password 3 times
3. user gets temporarily locked out
4. user tries to login again before the timeout is expired
5. Login fails even if user enters in right password as the account is
locked out
6. brute force wait time is incremented because there was a failure.
7. Loop to 4

Can't break the loop.

In reality it should work the same as your iphone.  Where the wait
time is only incremented if you enter in invalid credentials.




On Fri, Apr 6, 2018 at 3:11 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> What's going on with this one? We never reached a conclusion I believe if
> the current behaviour is what we want and we just need to add some
> clarification to docs or if we should change the behaviour.



-- 
Bill Burke
Red Hat


More information about the keycloak-dev mailing list