[keycloak-dev] Brute force protection behaviour

Hynek Mlnarik hmlnarik at redhat.com
Mon Feb 5 07:01:04 EST 2018


Hi,

please help me clarify the expected behaviour of brute force protection. I
read the documentation [1] but I am still not 100% sure about it. I'm more
after intention rather than actual implementation.

1) When should the Failure Reset Time apply? After the first or after last
failed attempt?

2) Should failed login attempts counter be cleared after the first
successful login or only after failure reset time regardless of the
successful login?

3) Should login failures be counted while the account is locked?

4) Should unlocking account in admin console reset login failures counter?


In other words, what is expected behaviour of the following scenarios
(questions are in items marked with Q ->)? I intentionally don't suggest
any correct answer below myself.

Setup:
- Permanent lockout: Off
- Max Lock time: 15 mins
- Wait Time Increment: 1 min
- Failure Reset Time: 30 mins

= Scenario 1 =
1.1) User locks its account
1.2) Another 3 immediate failed login attempts while account is blocked
*Q -> *1.3) Check that after (1 or 3?) minutes the account is unlocked

= Scenario 2 =
2.1) User locks its account
2.2) Wait until account is unlocked (should be 1x Wait Time Increment)
2.3) Then do another one failed login attempt.
*Q -> *2.4) Should the account be locked now or only after next Max Login
Failures?
*Q -> *2.5) Wait until account is unlocked (should be 1x or 2x Wait Time
Increment?)
2.6) Then fail another one login attempt
*Q -> *2.7) Wait until account is unlocked (should be 1x or 3x Wait Time
Increment?)
*Q -> *2.8) Wait Failure Reset Time (since first or last failed attempt?)
2.9) Validate that the user can again lock themselves out only after Max
Login Failures failed login attempts.

= Scenario 3 =
3.1) User locks its account
3.2) Another 20 failed immediate login attempts while account is blocked
*Q -> *3.3) Check that after (1 or 15?) minutes the account is unlocked
(Max Lock time is 15 mins)

Thanks

--Hynek

[1]
http://www.keycloak.org/docs/latest/server_admin/index.html#password-guess-brute-force-attacks


More information about the keycloak-dev mailing list