Re: [keycloak-dev] Blacklist Password Policy
Hello,
just realized that I cannot store large strings as the value for the
password policy since
all password policy configurations are stored as a concatenated string in
the
password_policy column of the realm table which has a maximum capacity of
2550 characters :-/
Values look like:
"hashIterations and passwordHistory and passwordBlacklist(bubu;foo;bar;baz)"
One could change the column type to "text" which is "not limited" but
I
think it would be
better to use something else for storing such values - the component_config
table perhaps?
Thoughts?
Thomas
2017-07-28 17:48 GMT+02:00 Thomas Darimont <thomas.darimont(a)googlemail.com>:
Hello,
I build a configurable Password Policy that allows to match a given
password against
a blacklist with easy to guess passwords that should be not allowed as
user passwords.
The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI
with a ";" delimited list of easy to guess passwords.
If the user / or admin want's to change the password it is checked against
the blacklist.
A password list can be found here:
https://github.com/danielmiessler/SecLists/tree/master/Passwords
A blacklist is of course not a perfect solution but could still be useful
for some users.
Password blacklist would be compiled to a trie at startup (and on changes
of the blacklist)
for efficient lookups.
WDYT?
Cheers,
Thomas