Re: [keycloak-dev] Blacklist Password Policy

Okay cool. Instead of storing the password blacklist in the database I could instead just refer to a password blacklist that lives on the file system. So Keycloak could ship with some of the lists from [0] and refer to those with a name like "default-blacklist1000", "default-blacklist-100000" in the BlacklistPasswordPolicy config within the admin-console. The "default-blacklist-100000" blacklist would then be mapped and resolve to something like "META-INF/password-blacklist/10_million_password_list_top_100000.txt". Users could provide their own blacklists with the provider config stored in standalone.xml than could then be adjusted via jboss-cli. I think this filesystem based approach is better than having to load and store big text-blobs in the database. Cheers, Thomas [0] https://github.com/danielmiessler/SecLists/tree/master/Passwords Using those password lists seems to be allowed according to their license: https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project which is Creative Commons Attribution ShareAlike 3.0 License -> IANAL but it seems to be useable in commercial products as well https://creativecommons.org/licenses/by-sa/3.0/ as long as the authors are mentioned. 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke(a)redhat.com&gt;: > Yah, that sounds cool. > > > On 7/28/17 11:48 AM, Thomas Darimont wrote: >> Hello, >> >> I build a configurable Password Policy that allows to match a given >> password against >> a blacklist with easy to guess passwords that should be not allowed as > user >> passwords. >> >> The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI >> with a ";" delimited list of easy to guess passwords. >> >> If the user / or admin want's to change the password it is checked > against >> the blacklist. >> A password list can be found here: >> https://github.com/danielmiessler/SecLists/tree/master/Passwords >> >> A blacklist is of course not a perfect solution but could still be useful >> for some users. >> >> Password blacklist would be compiled to a trie at startup (and on changes >> of the blacklist) >> for efficient lookups. >> >> WDYT? >> >> Cheers, >> Thomas >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev