[keycloak-dev] Blacklist Password Policy

Marek Posolda mposolda at redhat.com
Thu Aug 3 10:04:24 EDT 2017 

My vote is to throw an error if password list cannot be found on the 
filesystem. IMO it would be bad if admin has an impression that he just 
successfully configured blacklist password policy even if it doesn't 
work in reality. There should be rather error thrown, so admin is aware 
that it doesn't work.

However the biggest issue with the PR is another dependency as Hynek 
pointed in PR and me in other thread.

Marek


On 03/08/17 12:28, Thomas Darimont wrote:
> Hello,
>
> great  that's just what I built :) here is the PR: 
> https://github.com/keycloak/keycloak/pull/4370
>
> I'm not sure about the error handling if a configured password list 
> cannot be found on the filesystem.
> https://github.com/keycloak/keycloak/pull/4370/files#diff-91236e069747f156edbd2c282fec8d92R78
>
> Looking forward to your feedback :)
>
> Cheers,
> Thomas
>
> 2017-08-03 12:11 GMT+02:00 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>>:
>
>     +1 for filesystem.
>
>     Marek
>
>
>     On 29/07/17 10:06, Thomas Darimont wrote:
>
>         Okay cool.
>
>         Instead of storing the password blacklist in the database I
>         could instead
>         just refer to a password
>         blacklist that lives on the file system.
>
>         So Keycloak could ship with some of the lists from [0] and
>         refer to those
>         with a name like "default-blacklist1000",
>         "default-blacklist-100000"
>         in the BlacklistPasswordPolicy
>         config
>         within the admin-console.
>
>         The "default-blacklist-100000" blacklist would then be mapped
>         and resolve
>         to
>         something like
>         "META-INF/password-blacklist/10_million_password_list_top_100000.txt".
>
>         Users could provide their own blacklists with the provider
>         config stored in
>         standalone.xml
>         than could then be adjusted via jboss-cli.
>
>         I think this filesystem based approach is better than having
>         to load and
>         store big text-blobs in the database.
>
>         Cheers,
>         Thomas
>
>         [0]
>         https://github.com/danielmiessler/SecLists/tree/master/Passwords
>         <https://github.com/danielmiessler/SecLists/tree/master/Passwords>
>         Using those password lists seems to be allowed according to
>         their license:
>         https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project
>         <https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project>
>         which is Creative Commons Attribution ShareAlike 3.0 License
>         -> IANAL but it seems to be useable in commercial products as well
>         https://creativecommons.org/licenses/by-sa/3.0/
>         <https://creativecommons.org/licenses/by-sa/3.0/>
>         as long as the authors are mentioned.
>
>
>         2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>>:
>
>             Yah, that sounds cool.
>
>
>             On 7/28/17 11:48 AM, Thomas Darimont wrote:
>
>                 Hello,
>
>                 I build a configurable Password Policy that allows to
>                 match a given
>                 password against
>                 a blacklist with easy to guess passwords that should
>                 be not allowed as
>
>             user
>
>                 passwords.
>
>                 The 'BlacklistPasswordPolicyProvider' can be
>                 configured via the admin UI
>                 with a ";" delimited list of easy to guess passwords.
>
>                 If the user / or admin want's to change the password
>                 it is checked
>
>             against
>
>                 the blacklist.
>                 A password list can be found here:
>                 https://github.com/danielmiessler/SecLists/tree/master/Passwords
>                 <https://github.com/danielmiessler/SecLists/tree/master/Passwords>
>
>                 A blacklist is of course not a perfect solution but
>                 could still be useful
>                 for some users.
>
>                 Password blacklist would be compiled to a trie at
>                 startup (and on changes
>                 of the blacklist)
>                 for efficient lookups.
>
>                 WDYT?
>
>                 Cheers,
>                 Thomas
>                 _______________________________________________
>                 keycloak-dev mailing list
>                 keycloak-dev at lists.jboss.org
>                 <mailto:keycloak-dev at lists.jboss.org>
>                 https://lists.jboss.org/mailman/listinfo/keycloak-dev
>                 <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>             _______________________________________________
>             keycloak-dev mailing list
>             keycloak-dev at lists.jboss.org
>             <mailto:keycloak-dev at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/keycloak-dev
>             <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>         _______________________________________________
>         keycloak-dev mailing list
>         keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>         <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
>
>

More information about the keycloak-dev mailing list