Re: [keycloak-dev] Blacklist Password Policy

+1 for filesystem. Marek On 29/07/17 10:06, Thomas Darimont wrote: > Okay cool. > > Instead of storing the password blacklist in the database I could instead > just refer to a password > blacklist that lives on the file system. > > So Keycloak could ship with some of the lists from [0] and refer to those > with a name like "default-blacklist1000", "default-blacklist-100000" > in the BlacklistPasswordPolicy > config > within the admin-console. > > The "default-blacklist-100000" blacklist would then be mapped and resolve > to > something like > "META-INF/password-blacklist/10_million_password_list_top_100000.txt". > > Users could provide their own blacklists with the provider config stored > in > standalone.xml > than could then be adjusted via jboss-cli. > > I think this filesystem based approach is better than having to load and > store big text-blobs in the database. > > Cheers, > Thomas > > [0] https://github.com/danielmiessler/SecLists/tree/master/Passwords > Using those password lists seems to be allowed according to their license: > https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project > which is Creative Commons Attribution ShareAlike 3.0 License > -> IANAL but it seems to be useable in commercial products as well > https://creativecommons.org/licenses/by-sa/3.0/ > as long as the authors are mentioned. > > > 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke(a)redhat.com&gt;: > > Yah, that sounds cool. >> >> >> On 7/28/17 11:48 AM, Thomas Darimont wrote: >> >>> Hello, >>> >>> I build a configurable Password Policy that allows to match a given >>> password against >>> a blacklist with easy to guess passwords that should be not allowed as >>> >> user >> >>> passwords. >>> >>> The 'BlacklistPasswordPolicyProvider' can be configured via the admin >>> UI >>> with a ";" delimited list of easy to guess passwords. >>> >>> If the user / or admin want's to change the password it is checked >>> >> against >> >>> the blacklist. >>> A password list can be found here: >>> https://github.com/danielmiessler/SecLists/tree/master/Passwords >>> >>> A blacklist is of course not a perfect solution but could still be >>> useful >>> for some users. >>> >>> Password blacklist would be compiled to a trie at startup (and on >>> changes >>> of the blacklist) >>> for efficient lookups. >>> >>> WDYT? >>> >>> Cheers, >>> Thomas >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >