[keycloak-dev] haveibeenpwned.com password policy provider

[Marek Posolda]

This is interesting, but I am not 100% sure if it's something to be 
supported in Keycloak OOTB. Every built-in provider adds some 
complexity, needs of maintenance/refactoring etc. Maybe something to be 
added to our extensions page [1] ?

[1] https://www.keycloak.org/extensions.html

Marek

On 23/07/18 00:26, Chris Pitman wrote:
> I personally think this is great. In many ways it covers the need for any
> minimum complexity requirements, since most "obvious" passwords are in the
> database if people use them. Also covers the much more common case now of
> taking leaked passwords and attempting them on other sites.
>
> On Sun, Jul 22, 2018 at 5:32 PM Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello Keycloak Team,
>>
>> yesterday I implemented a password policy provider [0] for Keycloak
>> which checks
>> if a given password is contained in the password breach database
>> haveibeenpwned.com.
>>
>> The policy provider uses their range based password search API [1] which
>> uses
>> a "k-Anonymity model" [2] which allows a password to be looked up by
>> partial hash.
>>
>> The real password is never revealed to the service, only the first few
>> bytes
>> of the SHA-1 hash is used for the search which then returns a list of
>> password hashes with
>> the given prefix.
>> Those hashes are then checked by the provider to see if the actual
>> password was
>> contained in the database and how often it occurred.
>>
>> Do you guys think that this could be something interesting to add to
>> Keycloak?
>>
>> Cheers,
>> Thomas
>>
>> [0]
>> https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-XXX-haveibeenpwned-password-policy
>> [1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
>> [2] https://en.wikipedia.org/wiki/K-anonymity
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>