Re: [keycloak-dev] Blacklist Password Policy

Hello, great that's just what I built :) here is the PR: https://github.com/keycloak/keycloak/pull/4370 I'm not sure about the error handling if a configured password list cannot be found on the filesystem. https://github.com/keycloak/keycloak/pull/4370/files#diff-91236e069747f15... Looking forward to your feedback :) Cheers, Thomas 2017-08-03 12:11 GMT+02:00 Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>>: +1 for filesystem. Marek On 29/07/17 10:06, Thomas Darimont wrote: Okay cool. Instead of storing the password blacklist in the database I could instead just refer to a password blacklist that lives on the file system. So Keycloak could ship with some of the lists from [0] and refer to those with a name like "default-blacklist1000", "default-blacklist-100000" in the BlacklistPasswordPolicy config within the admin-console. The "default-blacklist-100000" blacklist would then be mapped and resolve to something like "META-INF/password-blacklist/10_million_password_list_top_100000.txt". Users could provide their own blacklists with the provider config stored in standalone.xml than could then be adjusted via jboss-cli. I think this filesystem based approach is better than having to load and store big text-blobs in the database. Cheers, Thomas [0] https://github.com/danielmiessler/SecLists/tree/master/Passwords <https://github.com/danielmiessler/SecLists/tree/master/Passwords> Using those password lists seems to be allowed according to their license: https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project <https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project> which is Creative Commons Attribution ShareAlike 3.0 License -> IANAL but it seems to be useable in commercial products as well https://creativecommons.org/licenses/by-sa/3.0/ <https://creativecommons.org/licenses/by-sa/3.0/> as long as the authors are mentioned. 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>>: Yah, that sounds cool. On 7/28/17 11:48 AM, Thomas Darimont wrote: Hello, I build a configurable Password Policy that allows to match a given password against a blacklist with easy to guess passwords that should be not allowed as user passwords. The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI with a ";" delimited list of easy to guess passwords. If the user / or admin want's to change the password it is checked against the blacklist. A password list can be found here: https://github.com/danielmiessler/SecLists/tree/master/Passwords <https://github.com/danielmiessler/SecLists/tree/master/Passwords> A blacklist is of course not a perfect solution but could still be useful for some users. Password blacklist would be compiled to a trie at startup (and on changes of the blacklist) for efficient lookups. WDYT? Cheers, Thomas _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev> _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev> _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>