Keycloak Brute Force Protection
The post describes how to configure Brute Force Protection in Keycloak
What is a brute force attack?
According to OWASP:
“A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works”
Open Keycloak admin page, open Realm Settings, go to the Security Defenses tab and open the Brute Force Protection tab.
Click on the enabled button.
Keycloak documentation related to the Brute Force Protection configuration is here
My understanding of the default configuration
Preventing automated attacks
- Lock after 2 subsequent login failures
- 1 second between failures (too quick for a human)
- Lock remains active for ~5 min
Preventing manual attacks
- Lock after 30 subsequent login failures
- Sliding window of 12 hours
- Lock remains active for ~ 45 min