<div dir="ltr">JIRA issue for common password check: <a href="https://issues.jboss.org/browse/KEYCLOAK-2822">https://issues.jboss.org/browse/KEYCLOAK-2822</a></div><div class="gmail_extra"><br><div class="gmail_quote">On 14 April 2016 at 08:08, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On 13 April 2016 at 21:48, Richard Lavallee <span dir="ltr"><<a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">I appreciate your patience, Stian,<div>is the below list also supported by Keycloak?<br><br><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Do you want to enable password aging?</td><td><select name="PASSWORD_AGE_IND" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="Y" selected>Yes</option><option value="N">No</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Select the number of days before password must be changed.</td><td><select name="PASSWORD_DAYS" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="30" selected>30</option><option value="35">35</option><option value="40">40</option><option value="45">45</option><option value="50">50</option><option value="55">55</option><option value="60">60</option><option value="65">65</option><option value="70">70</option><option value="75">75</option><option value="80">80</option><option value="85">85</option><option value="90">90</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Do you want to enable session timeouts?</td><td><select name="SESSION_TIMEOUT_IND" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="Y">Yes</option><option value="N" selected>No</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Enforce password complexity rules</td><td><select name="ENFORCE_PWD_COMPLEXITY" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="Y" selected>Yes</option><option value="N">No</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Depends what the rules are ;)</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Minimum password length</td><td><select name="MIN_PASSWORD_LENGTH" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="0">0 (Disabled)</option><option value="4">4</option><option value="8" selected>8</option><option value="12">12</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Block reuse of how many recent passwords</td><td><select name="BLOCK_RECENT_PWD_CNT" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="0" selected>0 (Disabled)</option><option value="6">6</option><option value="12">12</option><option value="24">24</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Block change of new passwords for how many days?</td><td><select name="BLOCK_PASSWORD_CHANGE" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="0">0 (Disabled)</option><option value="15">15</option><option value="30" selected>30</option><option value="45">45</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>No, you can create a JIRA for this one though</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Force change of new account passwords on first login?</td><td><select name="FORCE_NEW_PASSWORD_CHANGE" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="Y" selected>Yes</option><option value="N">No</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Select amount of time before session will be terminated.</td><td><select name="TIMEOUT_MINUTES" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="15" selected>15</option><option value="30">30</option><option value="45">45</option><option value="60">60</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Do you want to check for common passwords?</td><td><select name="COMMON_PASSWORDS" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="Y" selected>Yes</option><option value="N">No</option></select></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>No, we really should have this one. JIRA please</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Inactivate user after how many days of inactivity?</td><td><select name="INACTIVATE_USER_AFTER_DAYS" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="0">Never</option><option value="30">30</option><option value="60">60</option><option value="90">90</option><option value="120" selected>120</option></select><br></td></tr></tbody></table></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td></td></tr></tbody></table><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Number of failed login attempts to allow before temporary lockout</td><td><select name="FAILED_LOGIN_COUNT" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="0">0 (Disabled)</option><option value="3" selected>3</option><option value="5">5</option></select></td></tr></tbody></table></div></div></div></div></blockquote><div><br></div></span><div>Yes</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><div><table bgcolor="#f0f0f0" align="center" width="100%" border="0" cellspacing="2" cellpadding="1" style="color:rgb(0,0,0);font-family:Arial,Helvetica,SansSerif;font-size:11px"><tbody><tr><td width="350">Number of minutes to block user after failed login attempts</td><td><select name="FAILED_LOGIN_LOCKOUT_MINUTES" size="1" style="font-family:Arial,Helvetica,SansSerif;font-size:11px;width:100px"><option value="0">0 Min</option><option value="15" selected>15 Min</option><option value="30">30 Min</option><option value="60">60 Min</option></select></td></tr></tbody></table></div></div></div></div></blockquote><div><br></div></span><div>Yes</div><div><div class="h5"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div><div><br><br><hr>Date: Wed, 13 Apr 2016 20:47:37 +0200<div><div><br>Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies<br>From: <a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a><br>To: <a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a><br>CC: <a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>; <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><br><p dir="ltr">Nope, that one is not there. You can add a jira request for it.</p>
<div>On 13 Apr 2016 20:46, "Richard Lavallee" <<a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a>> wrote:<br><blockquote style="border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr"><font color="#ff0000" face="Arial, Helvetica, SansSerif"><span style="font-size:12px;background-color:rgb(255,255,255)"><b>Is the below policy supported in Keycloak? If not can it be done in some custom way?</b></span></font><br><div><br style="color:rgb(255,0,0);font-family:Arial,Helvetica,SansSerif;font-size:12px;font-weight:bold;background-color:rgb(255,255,255)"><span style="color:rgb(255,0,0);font-family:Arial,Helvetica,SansSerif;font-size:12px;font-weight:bold;background-color:rgb(255,255,255)">You are only allowed to change your password every 30 days</span><br><br><div><hr>Date: Wed, 13 Apr 2016 20:42:20 +0200<br>Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies<br>From: <a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a><br>To: <a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a><br>CC: <a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>; <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><br><p dir="ltr">Sure, but it would be a rather lengthy one.</p>
<div>On 13 Apr 2016 17:18, "Richard Lavallee" <<a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a>> wrote:<br><blockquote style="border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">Thanks. But even for repetitive letters such as "aaaa"<div>I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes?<br><br><div><hr>Date: Wed, 13 Apr 2016 06:47:09 +0200<br>Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies<br>From: <a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a><br>To: <a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a><br>CC: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><br><div dir="ltr">That'd do it. I got confused and thought you didn't want to repetitive letters.</div><div><br><div>On 12 April 2016 at 19:32, Richard Lavallee <span dir="ltr"><<a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a>></span> wrote:<br><blockquote style="border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr"><span><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><ul><li style="color:rgb(11,83,148)"><span style="color:rgb(34,34,34);font-size:12.8px">Password should not have consecutive letters</span></li></ul></div></div></div></div></blockquote><div><span style="font-size:12pt">Maybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though.</span> </div><div><br></div></span><div>Wouldn't the below suffice for regex? Thus avoiding needing custom work for the short-term?</div><div><br></div><div>forward = "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",</div><div> backward = "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",</div><div> regex = "(" + forward + "|" + backward + ")+"; </div><div><br></div><div><br></div><div><div><hr>Date: Tue, 12 Apr 2016 06:37:41 +0200<br>Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies<br>From: <a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a><br>To: <a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a><br>CC: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a></div><div><div><br><br><div dir="ltr"><br><div><br><div>On 11 April 2016 at 20:49, Richard Lavallee <span dir="ltr"><<a href="mailto:rllavallee@hotmail.com" target="_blank">rllavallee@hotmail.com</a>></span> wrote:<br><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Does Keycloak support the following requirements?</div><div dir="ltr"><br></div><div dir="ltr"><div style="font-family:arial,sans-serif;font-size:12.8px;color:rgb(11,83,148);background-color:rgb(255,255,255)"><b>Password:</b></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><ul><li style="color:rgb(11,83,148)"><span style="color:rgb(34,34,34);font-size:12.8px">Password should be changed in every 60 days (configurable)</span></li></ul></div></div></div></div></div></div></div></blockquote><div>Yes </div><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><ul><li style="color:rgb(11,83,148)"><span style="color:rgb(34,34,34);font-size:12.8px">If user enters password wrong three times account is locked out for 15 min (configurable)</span></li></ul></div></div></div></div></div></div></div></blockquote><div>Yes </div><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><ul><li><span style="font-size:12.8px">Password chosen should not be previous 24 passwords</span></li></ul></div></div></div></div></div></div></div></blockquote><div>Yes </div><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><ul><li><span style="font-size:12.8px">Password should have a letter and a number</span></li></ul></div></div></div></div></div></div></div></blockquote><div>Yes </div><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><ul><li style="color:rgb(11,83,148)"><span style="color:rgb(34,34,34);font-size:12.8px">Password should not have consecutive letters</span></li></ul></div></div></div></div></div></div></div></blockquote><div>Maybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though.</div><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><ul><li style="color:rgb(11,83,148)"><br></li></ul></div><div style="font-family:arial,sans-serif;font-size:12.8px;color:rgb(11,83,148);background-color:rgb(255,255,255)"><b>Inactivity:</b></div><div style="font-family:arial,sans-serif;font-size:12.8px;color:rgb(11,83,148);background-color:rgb(255,255,255)"><ul><li><span style="color:rgb(34,34,34);font-size:12.8px">Application session inactivity - default is 45 minutes (can be configured)</span></li></ul></div></div></div></div></div></div></div></blockquote><div>Yes, you can configure idle timeout for a session. Idle for a session is if there are no app logins or token refreshes </div><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div style="font-family:arial,sans-serif;font-size:12.8px;color:rgb(11,83,148);background-color:rgb(255,255,255)"><ul><li><span style="color:rgb(34,34,34);font-size:12.8px">Account inactivity - account inactivity is 30 days default (configurable)</span></li></ul></div></div></div></div></div></div></div></blockquote><div>Yes </div><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><font color="#888888"><div><br></div><div>-Richard</div><div><br></div><div><br></div><div><br></div>                                            </font></span></div></div>                                            </div></div>                                            </div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div></div></div></div></div>                                            </div></div>
</blockquote></div><br></div></div></div>                                            </div></div>
</blockquote></div></div></div>                                            </div></div>
</blockquote></div></div></div></div></div>                                            </div></div>
</blockquote></div></div></div><br></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>