Forgot Password - different response time for existing and non-existing users - possible vulnerability

bedo5 · April 22, 2024, 2:23pm

Keycloak 23.0.7.
In the dialog Forgot Your Password? when I enter an existing user, the response time is 500-600 ms. When I enter a non-existent one, the response time is 50-60 ms. Accordingly, it is possible to find out a valid login name.
Is there anything I can configure to make it undetectable?

Topic		Replies	Views
User feedback on the Forgot Password page about the existence of a user Getting advice	1	361	November 10, 2021
Is there a way to retrieve password of a user	1	366	November 29, 2022
Need help in understanding Keycloak Brute Force Mechanism Getting advice authentication	0	98	March 6, 2024
Validate password recovery if email does not exist authentication	0	240	February 26, 2021
Get message "Your password has been updated." after reset password Getting advice	2	970	January 31, 2024

Forgot Password - different response time for existing and non-existing users - possible vulnerability

Related Topics