[keycloak-dev] Blacklist Password Policy

Bruno Oliveira bruno at abstractj.org
Thu Aug 10 07:03:57 EDT 2017


In order to not miss this, I just created the following jiras:

https://issues.jboss.org/browse/KEYCLOAK-5275
https://issues.jboss.org/browse/KEYCLOAK-5276


On Wed, Aug 9, 2017 at 5:06 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> A little bit late for the discussion, but today I was looking into this
> http://www.kitploit.com/2017/08/jwt-cracker-simple-hs256-jwt-token.html and
> wondering if we would be interesting to provide the same for client
> secrets. Just to prevent weak secrets.
>
> Of course this is out of the scope for this implementation. But maybe a
> nice to have.
>
> On Thu, Aug 3, 2017 at 11:31 AM Marek Posolda <mposolda at redhat.com> wrote:
>
>> My vote is to throw an error if password list cannot be found on the
>> filesystem. IMO it would be bad if admin has an impression that he just
>> successfully configured blacklist password policy even if it doesn't
>> work in reality. There should be rather error thrown, so admin is aware
>> that it doesn't work.
>>
>> However the biggest issue with the PR is another dependency as Hynek
>> pointed in PR and me in other thread.
>>
>> Marek
>>
>>
>> On 03/08/17 12:28, Thomas Darimont wrote:
>> > Hello,
>> >
>> > great  that's just what I built :) here is the PR:
>> > https://github.com/keycloak/keycloak/pull/4370
>> >
>> > I'm not sure about the error handling if a configured password list
>> > cannot be found on the filesystem.
>> >
>> https://github.com/keycloak/keycloak/pull/4370/files#diff-91236e069747f156edbd2c282fec8d92R78
>> >
>> > Looking forward to your feedback :)
>> >
>> > Cheers,
>> > Thomas
>> >
>> > 2017-08-03 12:11 GMT+02:00 Marek Posolda <mposolda at redhat.com
>> > <mailto:mposolda at redhat.com>>:
>> >
>> >     +1 for filesystem.
>> >
>> >     Marek
>> >
>> >
>> >     On 29/07/17 10:06, Thomas Darimont wrote:
>> >
>> >         Okay cool.
>> >
>> >         Instead of storing the password blacklist in the database I
>> >         could instead
>> >         just refer to a password
>> >         blacklist that lives on the file system.
>> >
>> >         So Keycloak could ship with some of the lists from [0] and
>> >         refer to those
>> >         with a name like "default-blacklist1000",
>> >         "default-blacklist-100000"
>> >         in the BlacklistPasswordPolicy
>> >         config
>> >         within the admin-console.
>> >
>> >         The "default-blacklist-100000" blacklist would then be mapped
>> >         and resolve
>> >         to
>> >         something like
>> >
>>  "META-INF/password-blacklist/10_million_password_list_top_100000.txt".
>> >
>> >         Users could provide their own blacklists with the provider
>> >         config stored in
>> >         standalone.xml
>> >         than could then be adjusted via jboss-cli.
>> >
>> >         I think this filesystem based approach is better than having
>> >         to load and
>> >         store big text-blobs in the database.
>> >
>> >         Cheers,
>> >         Thomas
>> >
>> >         [0]
>> >
>> https://github.com/danielmiessler/SecLists/tree/master/Passwords
>> >         <
>> https://github.com/danielmiessler/SecLists/tree/master/Passwords>
>> >         Using those password lists seems to be allowed according to
>> >         their license:
>> >         https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project
>> >         <
>> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project>
>> >         which is Creative Commons Attribution ShareAlike 3.0 License
>> >         -> IANAL but it seems to be useable in commercial products as
>> well
>> >         https://creativecommons.org/licenses/by-sa/3.0/
>> >         <https://creativecommons.org/licenses/by-sa/3.0/>
>> >         as long as the authors are mentioned.
>> >
>> >
>> >         2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com
>> >         <mailto:bburke at redhat.com>>:
>> >
>> >             Yah, that sounds cool.
>> >
>> >
>> >             On 7/28/17 11:48 AM, Thomas Darimont wrote:
>> >
>> >                 Hello,
>> >
>> >                 I build a configurable Password Policy that allows to
>> >                 match a given
>> >                 password against
>> >                 a blacklist with easy to guess passwords that should
>> >                 be not allowed as
>> >
>> >             user
>> >
>> >                 passwords.
>> >
>> >                 The 'BlacklistPasswordPolicyProvider' can be
>> >                 configured via the admin UI
>> >                 with a ";" delimited list of easy to guess passwords.
>> >
>> >                 If the user / or admin want's to change the password
>> >                 it is checked
>> >
>> >             against
>> >
>> >                 the blacklist.
>> >                 A password list can be found here:
>> >
>> https://github.com/danielmiessler/SecLists/tree/master/Passwords
>> >                 <
>> https://github.com/danielmiessler/SecLists/tree/master/Passwords>
>> >
>> >                 A blacklist is of course not a perfect solution but
>> >                 could still be useful
>> >                 for some users.
>> >
>> >                 Password blacklist would be compiled to a trie at
>> >                 startup (and on changes
>> >                 of the blacklist)
>> >                 for efficient lookups.
>> >
>> >                 WDYT?
>> >
>> >                 Cheers,
>> >                 Thomas
>> >                 _______________________________________________
>> >                 keycloak-dev mailing list
>> >                 keycloak-dev at lists.jboss.org
>> >                 <mailto:keycloak-dev at lists.jboss.org>
>> >                 https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >                 <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>> >
>> >             _______________________________________________
>> >             keycloak-dev mailing list
>> >             keycloak-dev at lists.jboss.org
>> >             <mailto:keycloak-dev at lists.jboss.org>
>> >             https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >             <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>> >
>> >         _______________________________________________
>> >         keycloak-dev mailing list
>> >         keycloak-dev at lists.jboss.org <mailto:
>> keycloak-dev at lists.jboss.org>
>> >         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >         <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>> >
>> >
>> >
>> >
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>


More information about the keycloak-dev mailing list