[keycloak-dev] Blacklist Password Policy
thomas.darimont at googlemail.com
Sat Jul 29 04:06:42 EDT 2017
Instead of storing the password blacklist in the database I could instead
just refer to a password
blacklist that lives on the file system.
So Keycloak could ship with some of the lists from  and refer to those
with a name like "default-blacklist1000", "default-blacklist-100000"
in the BlacklistPasswordPolicy
within the admin-console.
The "default-blacklist-100000" blacklist would then be mapped and resolve
Users could provide their own blacklists with the provider config stored in
than could then be adjusted via jboss-cli.
I think this filesystem based approach is better than having to load and
store big text-blobs in the database.
Using those password lists seems to be allowed according to their license:
which is Creative Commons Attribution ShareAlike 3.0 License
-> IANAL but it seems to be useable in commercial products as well
as long as the authors are mentioned.
2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com>:
> Yah, that sounds cool.
> On 7/28/17 11:48 AM, Thomas Darimont wrote:
> > Hello,
> > I build a configurable Password Policy that allows to match a given
> > password against
> > a blacklist with easy to guess passwords that should be not allowed as
> > passwords.
> > The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI
> > with a ";" delimited list of easy to guess passwords.
> > If the user / or admin want's to change the password it is checked
> > the blacklist.
> > A password list can be found here:
> > https://github.com/danielmiessler/SecLists/tree/master/Passwords
> > A blacklist is of course not a perfect solution but could still be useful
> > for some users.
> > Password blacklist would be compiled to a trie at startup (and on changes
> > of the blacklist)
> > for efficient lookups.
> > WDYT?
> > Cheers,
> > Thomas
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev