[keycloak-dev] Rehash password after each login

Hynek Mlnarik hmlnarik at redhat.com
Mon Jun 26 06:03:36 EDT 2017

Created https://issues.jboss.org/browse/KEYCLOAK-5090

On Mon, Jun 26, 2017 at 8:28 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> Passwords should only be rehashed if the algorithm or hashing iterations
> change. They should not be re-hashed periodically and certainly for every
> login. This is a bug.
> On 23 June 2017 at 15:10, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>> The o.k.credential.PasswordCredentialProvider.isValid() method in its
>> end [1] rehashes and stores the credentials upon successful
>> authentication. This has benefits in that whenever hashing algorithm
>> or policy changes (e.g. number of iterations), after a login the user
>> password would be stored again. If nothing changes, the password is at
>> least rehashed with another salt. Actually, as the password
>> policy/algorithm usually does not change too often, it also induces
>> unnecessary network traffic: because a user invalidation sent to other
>> nodes in cluster (and other DCs) after each successful login.
>> One way to mitigate the issue is to invalidate the current encoded
>> password only if the variant encoded using the same salt as original
>> password and current password policy is different to the stored one.
>> If occasional rehashing would be a must, it would be possible to
>> update credentials after login with new hash only once in a given
>> period of time (e.g. at most weekly, this can be determined from the
>> password created date).
>> WDYT?
>> --Hynek
>> [1]
>> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/credential/PasswordCredentialProvider.java#L210-L215
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list