[keycloak-dev] Blacklist Password Policy

Marek Posolda mposolda at redhat.com
Thu Aug 3 06:11:15 EDT 2017 

+1 for filesystem.

Marek

On 29/07/17 10:06, Thomas Darimont wrote:
> Okay cool.
>
> Instead of storing the password blacklist in the database I could instead
> just refer to a password
> blacklist that lives on the file system.
>
> So Keycloak could ship with some of the lists from [0] and refer to those
> with a name like "default-blacklist1000", "default-blacklist-100000"
> in the BlacklistPasswordPolicy
> config
> within the admin-console.
>
> The "default-blacklist-100000" blacklist would then be mapped and resolve
> to
> something like
> "META-INF/password-blacklist/10_million_password_list_top_100000.txt".
>
> Users could provide their own blacklists with the provider config stored in
> standalone.xml
> than could then be adjusted via jboss-cli.
>
> I think this filesystem based approach is better than having to load and
> store big text-blobs in the database.
>
> Cheers,
> Thomas
>
> [0] https://github.com/danielmiessler/SecLists/tree/master/Passwords
> Using those password lists seems to be allowed according to their license:
> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project
> which is Creative Commons Attribution ShareAlike 3.0 License
> -> IANAL but it seems to be useable in commercial products as well
> https://creativecommons.org/licenses/by-sa/3.0/
> as long as the authors are mentioned.
>
>
> 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com>:
>
>> Yah, that sounds cool.
>>
>>
>> On 7/28/17 11:48 AM, Thomas Darimont wrote:
>>> Hello,
>>>
>>> I build a configurable Password Policy that allows to match a given
>>> password against
>>> a blacklist with easy to guess passwords that should be not allowed as
>> user
>>> passwords.
>>>
>>> The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI
>>> with a ";" delimited list of easy to guess passwords.
>>>
>>> If the user / or admin want's to change the password it is checked
>> against
>>> the blacklist.
>>> A password list can be found here:
>>> https://github.com/danielmiessler/SecLists/tree/master/Passwords
>>>
>>> A blacklist is of course not a perfect solution but could still be useful
>>> for some users.
>>>
>>> Password blacklist would be compiled to a trie at startup (and on changes
>>> of the blacklist)
>>> for efficient lookups.
>>>
>>> WDYT?
>>>
>>> Cheers,
>>> Thomas
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list