What's the right http status of locked user due to brute force attack?

Asked 2/11, 2017 at 14:37 Answered 29/3, 2022 at 22:15

In case of brute force attack, what is the right status code that a REST api should return for a locked user? Actually, when a user fails password three times in last 3 minutes a lock its account.

If he try to login the fourth time, it receive a response with {"success":"false"} with status code 401. Is it formally right or not?

Dysentery answered 2/11, 2017 at 14:37 Comment(1)

What authentication scheme are you using (if any)? – Rawboned 2/11, 2017 at 15:4

I'm a teapot

If you determine that your application is under attack, you could return 418 (I'm a teapot) and use a "short and stout" message in the response payload.

Unauthorized and forbidden

For HTTP authentication (stateless and sending the credentials in the Authorization header) use 401 (Unauthorized) to indicate that the credentials have been refused for that request.

Assuming that the credentials are valid but the user account is locked (or in any other condition that prevents the server from accepting the request), you could use 403 (Forbidden) and a descriptive message in the payload. Quote from the RFC 7235:

A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code.

Liguria answered 2/11, 2017 at 15:30 Comment(5)

What about the status code 423 ("Locked"). This sounds like the right one for me... – Stillman 31/10, 2018 at 14:25

Note: Spring org.springframework.http.HttpStatus supports the 418 response. I recommend it in this situation as well. – Candra 29/3, 2019 at 16:20

I think application should keep on sending exactly the same headers and response, if the account is locked due to brute force. As changing the response would help identify the attacker that the account is locked. – Bomber 28/6, 2019 at 2:34

423 Is not the right type. It's meant to be used to manage concurrent modifications to a resource, not authentication or authorization. – Angelicaangelico 26/8, 2019 at 19:59

Just need to be careful not to reveal a user's real password by having a different status code for locked vs locked + correct password. Eg. OK to return 401 for a bad password usually, but don't return a 403 for the combination of correct password and locked account because that would allow a bruteforce attack to still discover whether their password guess is correct. – Flieger 15/4, 2021 at 23:30

403 Forbidden

403 means that "yes, I know about you, and your credentials might even be valid, but I am rejecting you anyway". Whether that be due to a lockout, your IP is banned, the phase of the moon isn't the correct one, etc, you can use this to signal that the request was invalid for that reason.

Resee answered 6/9, 2020 at 21:42 Comment(0)

Account locking is not always the best solution, because someone could easily abuse the security measure and lock out hundreds of user accounts. In fact, some Web sites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts. See OWASP Blocking Brute Force Attacks for more info.

If your server detects too much requests and you don't want to block the client permanently you should send status code:

429 Too many requests

The HTTP 429 Too Many Requests response status code indicates the user has sent too many requests in a given amount of time ("rate limiting").

A Retry-After header might be included to this response indicating how long to wait before making a new request.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429

Seleucia answered 29/3, 2022 at 22:15 Comment(0)

I'm a teapot

Unauthorized and forbidden

403 Forbidden

Recommended topics

Hot tags