[keycloak-user] extra password policy, interesting?
lists
lists at merit.unu.edu
Tue Sep 5 03:51:07 EDT 2017
Haha super!
So we were not alone with our sudden interest in that feature :-)
Thanks!
MJ
On 5-9-2017 9:35, Thomas Darimont wrote:
> Hello,
>
> there is already a PR for that :)
> https://github.com/keycloak/keycloak/pull/4370
>
> Cheers,
> Thomas
>
> 2017-09-05 9:32 GMT+02:00 lists <lists at merit.unu.edu
> <mailto:lists at merit.unu.edu>>:
>
> Hi,
>
> Recently we were under attack of a botnet, trying out passwords for our
> accounts, and we learned a lot from it. :-)
>
> We learned the kinds of passwords and variations that were tried, and
> how they were composed. Therefore, I would like to suggest an extra
> password policy: a list of forbidden words (like an expression
> blacklist)
>
> We noticed that the botnet actually took often-occuring words from our
> website, and tried those for passwords, often adding things like: a
> year, or a part (subdomain or domain) of our email addresses.
> (username at subdomain.domain.com <mailto:username at subdomain.domain.com>)
>
> So, now we know what passwords are tried, but we have no way of
> prohibiting those passwords/terms. We can only ask our users not to use
> those words in their passwords.
>
> If we could define blacklisted words, that would help (us) a lot.
>
> (and perhaps others too?)
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
More information about the keycloak-user
mailing list