[keycloak-dev] Blacklist Password Policy
Thomas Darimont
thomas.darimont at googlemail.com
Sat Jul 29 04:06:42 EDT 2017
Okay cool.
Instead of storing the password blacklist in the database I could instead
just refer to a password
blacklist that lives on the file system.
So Keycloak could ship with some of the lists from [0] and refer to those
with a name like "default-blacklist1000", "default-blacklist-100000"
in the BlacklistPasswordPolicy
config
within the admin-console.
The "default-blacklist-100000" blacklist would then be mapped and resolve
to
something like
"META-INF/password-blacklist/10_million_password_list_top_100000.txt".
Users could provide their own blacklists with the provider config stored in
standalone.xml
than could then be adjusted via jboss-cli.
I think this filesystem based approach is better than having to load and
store big text-blobs in the database.
Cheers,
Thomas
[0] https://github.com/danielmiessler/SecLists/tree/master/Passwords
Using those password lists seems to be allowed according to their license:
https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project
which is Creative Commons Attribution ShareAlike 3.0 License
-> IANAL but it seems to be useable in commercial products as well
https://creativecommons.org/licenses/by-sa/3.0/
as long as the authors are mentioned.
2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com>:
> Yah, that sounds cool.
>
>
> On 7/28/17 11:48 AM, Thomas Darimont wrote:
> > Hello,
> >
> > I build a configurable Password Policy that allows to match a given
> > password against
> > a blacklist with easy to guess passwords that should be not allowed as
> user
> > passwords.
> >
> > The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI
> > with a ";" delimited list of easy to guess passwords.
> >
> > If the user / or admin want's to change the password it is checked
> against
> > the blacklist.
> > A password list can be found here:
> > https://github.com/danielmiessler/SecLists/tree/master/Passwords
> >
> > A blacklist is of course not a perfect solution but could still be useful
> > for some users.
> >
> > Password blacklist would be compiled to a trie at startup (and on changes
> > of the blacklist)
> > for efficient lookups.
> >
> > WDYT?
> >
> > Cheers,
> > Thomas
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list