[keycloak-user] extra password policy, interesting?
lists
lists at merit.unu.edu
Tue Sep 5 03:32:11 EDT 2017
Hi,
Recently we were under attack of a botnet, trying out passwords for our
accounts, and we learned a lot from it. :-)
We learned the kinds of passwords and variations that were tried, and
how they were composed. Therefore, I would like to suggest an extra
password policy: a list of forbidden words (like an expression blacklist)
We noticed that the botnet actually took often-occuring words from our
website, and tried those for passwords, often adding things like: a
year, or a part (subdomain or domain) of our email addresses.
(username at subdomain.domain.com)
So, now we know what passwords are tried, but we have no way of
prohibiting those passwords/terms. We can only ask our users not to use
those words in their passwords.
If we could define blacklisted words, that would help (us) a lot.
(and perhaps others too?)
MJ
More information about the keycloak-user
mailing list