Re: [keycloak-dev] haveibeenpwned.com password policy provider

Hello Keycloak Team, yesterday I implemented a password policy provider [0] for Keycloak which checks if a given password is contained in the password breach database haveibeenpwned.com. The policy provider uses their range based password search API [1] which uses a "k-Anonymity model" [2] which allows a password to be looked up by partial hash. The real password is never revealed to the service, only the first few bytes of the SHA-1 hash is used for the search which then returns a list of password hashes with the given prefix. Those hashes are then checked by the provider to see if the actual password was contained in the database and how often it occurred. Do you guys think that this could be something interesting to add to Keycloak? Cheers, Thomas [0] https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-XXX-haveib... [1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange [2] https://en.wikipedia.org/wiki/K-anonymity _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev