Re: [keycloak-dev] Blacklist Password Policy

Okay cool. Instead of storing the password blacklist in the database I could instead just refer to a password blacklist that lives on the file system. So Keycloak could ship with some of the lists from [0] and refer to those with a name like "default-blacklist1000", "default-blacklist-100000" in the BlacklistPasswordPolicy config within the admin-console. The "default-blacklist-100000" blacklist would then be mapped and resolve to something like "META-INF/password-blacklist/10_million_password_list_top_100000.txt". Users could provide their own blacklists with the provider config stored in standalone.xml than could then be adjusted via jboss-cli. I think this filesystem based approach is better than having to load and store big text-blobs in the database. Cheers, Thomas [0] https://github.com/danielmiessler/SecLists/tree/master/Passwords Using those password lists seems to be allowed according to their license: https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project which is Creative Commons Attribution ShareAlike 3.0 License -> IANAL but it seems to be useable in commercial products as well https://creativecommons.org/licenses/by-sa/3.0/ as long as the authors are mentioned. 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke(a)redhat.com&gt;: