[keycloak-dev] Rehash password after each login

Hynek Mlnarik hmlnarik at redhat.com
Fri Jun 23 09:10:58 EDT 2017

The o.k.credential.PasswordCredentialProvider.isValid() method in its
end [1] rehashes and stores the credentials upon successful
authentication. This has benefits in that whenever hashing algorithm
or policy changes (e.g. number of iterations), after a login the user
password would be stored again. If nothing changes, the password is at
least rehashed with another salt. Actually, as the password
policy/algorithm usually does not change too often, it also induces
unnecessary network traffic: because a user invalidation sent to other
nodes in cluster (and other DCs) after each successful login.

One way to mitigate the issue is to invalidate the current encoded
password only if the variant encoded using the same salt as original
password and current password policy is different to the stored one.
If occasional rehashing would be a must, it would be possible to
update credentials after login with new hash only once in a given
period of time (e.g. at most weekly, this can be determined from the
password created date).



[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/credential/PasswordCredentialProvider.java#L210-L215

More information about the keycloak-dev mailing list