[keycloak-dev] Brute force protection behaviour

Stian Thorgersen sthorger at redhat.com
Tue Feb 6 13:56:11 EST 2018 

Could you answer Hynek's original questions? Those where the things after
reading the docs and tooltips that where unclear to us.

On 6 February 2018 at 18:58, Bill Burke <bburke at redhat.com> wrote:

> I put this in the PR and corresponding JIRAs, but a user had this
> problem in 3.2 (not 3.4, I fixed it)
>
> 1) User has 3 failed attempts, account locks, Temporary Disable appears
> 2) User tries again before wait period is up...Wait increment
> increases wait time
> 3) User tries again before wait period, wait increment is increased
> again as Keycloak logged a failure for this
> 4) User is locked out forever unless admin helps to unlock.
>
> So, I changed the behavior so that a failure isn't logged if a user
> attempts a login to an account that is temporarily blocked.  I believe
> the failure count is only reset on a successful login.
>
> IMO, the algorithm shoudl be:
>
> 1) After N failed attempts lock user for WAIT TIMEOUT
> 2) Do not increment failure count if login is attempted on locked account
> 3) After N failed attempts after unlock, lock user again for WAIT TIMEOUT
> * 2
> 4) After unlock and another N failed attempts, locak user again for
> WAIT TIMEOUT * 3.
> 5) A successful login resets failure count.
>
> On Tue, Feb 6, 2018 at 1:13 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> > Adding my opinions on this
> >
> > On 5 February 2018 at 13:01, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
> >>
> >> Hi,
> >>
> >> please help me clarify the expected behaviour of brute force
> protection. I
> >> read the documentation [1] but I am still not 100% sure about it. I'm
> more
> >> after intention rather than actual implementation.
> >>
> >> 1) When should the Failure Reset Time apply? After the first or after
> last
> >> failed attempt?
> >
> >
> > Last failed attempt - it's safer this way
> >
> >>
> >>
> >> 2) Should failed login attempts counter be cleared after the first
> >> successful login or only after failure reset time regardless of the
> >> successful login?
> >
> >
> > Only after failure rest time - If there's an ongoing targeted attack on a
> > specific account this is important, otherwise an attacker would get new
> > attempts every time the user authenticates (which could be predicted, for
> > instance 9am every day)
> >
> >>
> >>
> >> 3) Should login failures be counted while the account is locked?
> >
> >
> > No - I don't think this has any impact on safety and would have negative
> > effects for the user (most users will type the password again to check)
> >
> >>
> >>
> >> 4) Should unlocking account in admin console reset login failures
> counter?
> >
> >
> > Yes - would be good to have a way to show the count in the admin console
> > though
> >
> >>
> >>
> >>
> >> In other words, what is expected behaviour of the following scenarios
> >> (questions are in items marked with Q ->)? I intentionally don't suggest
> >> any correct answer below myself.
> >>
> >> Setup:
> >> - Permanent lockout: Off
> >> - Max Lock time: 15 mins
> >> - Wait Time Increment: 1 min
> >> - Failure Reset Time: 30 mins
> >>
> >> = Scenario 1 =
> >> 1.1) User locks its account
> >> 1.2) Another 3 immediate failed login attempts while account is blocked
> >> *Q -> *1.3) Check that after (1 or 3?) minutes the account is unlocked
> >>
> >> = Scenario 2 =
> >> 2.1) User locks its account
> >> 2.2) Wait until account is unlocked (should be 1x Wait Time Increment)
> >> 2.3) Then do another one failed login attempt.
> >> *Q -> *2.4) Should the account be locked now or only after next Max
> Login
> >> Failures?
> >> *Q -> *2.5) Wait until account is unlocked (should be 1x or 2x Wait Time
> >> Increment?)
> >> 2.6) Then fail another one login attempt
> >> *Q -> *2.7) Wait until account is unlocked (should be 1x or 3x Wait Time
> >> Increment?)
> >> *Q -> *2.8) Wait Failure Reset Time (since first or last failed
> attempt?)
> >> 2.9) Validate that the user can again lock themselves out only after Max
> >> Login Failures failed login attempts.
> >>
> >> = Scenario 3 =
> >> 3.1) User locks its account
> >> 3.2) Another 20 failed immediate login attempts while account is blocked
> >> *Q -> *3.3) Check that after (1 or 15?) minutes the account is unlocked
> >> (Max Lock time is 15 mins)
> >>
> >> Thanks
> >>
> >> --Hynek
> >>
> >> [1]
> >>
> >> http://www.keycloak.org/docs/latest/server_admin/index.
> html#password-guess-brute-force-attacks
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
>
>
>
> --
> Bill Burke
> Red Hat
>

More information about the keycloak-dev mailing list