[keycloak-dev] Rehash password after each login

Stian Thorgersen sthorger at redhat.com
Mon Jun 26 02:28:30 EDT 2017

Passwords should only be rehashed if the algorithm or hashing iterations
change. They should not be re-hashed periodically and certainly for every
login. This is a bug.

On 23 June 2017 at 15:10, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> The o.k.credential.PasswordCredentialProvider.isValid() method in its
> end [1] rehashes and stores the credentials upon successful
> authentication. This has benefits in that whenever hashing algorithm
> or policy changes (e.g. number of iterations), after a login the user
> password would be stored again. If nothing changes, the password is at
> least rehashed with another salt. Actually, as the password
> policy/algorithm usually does not change too often, it also induces
> unnecessary network traffic: because a user invalidation sent to other
> nodes in cluster (and other DCs) after each successful login.
> One way to mitigate the issue is to invalidate the current encoded
> password only if the variant encoded using the same salt as original
> password and current password policy is different to the stored one.
> If occasional rehashing would be a must, it would be possible to
> update credentials after login with new hash only once in a given
> period of time (e.g. at most weekly, this can be determined from the
> password created date).
> --Hynek
> [1] https://github.com/keycloak/keycloak/blob/master/services/
> src/main/java/org/keycloak/credential/PasswordCredentialProvider.
> java#L210-L215
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list