Re: [keycloak-dev] Blacklist Password Policy

My vote is to throw an error if password list cannot be found on the filesystem. IMO it would be bad if admin has an impression that he just successfully configured blacklist password policy even if it doesn't work in reality. There should be rather error thrown, so admin is aware that it doesn't work. However the biggest issue with the PR is another dependency as Hynek pointed in PR and me in other thread. Marek On 03/08/17 12:28, Thomas Darimont wrote: > Hello, > > great that's just what I built :) here is the PR: > https://github.com/keycloak/keycloak/pull/4370 > > I'm not sure about the error handling if a configured password list > cannot be found on the filesystem. > https://github.com/keycloak/keycloak/pull/4370/files#diff-91236e069747f15... > > Looking forward to your feedback :) > > Cheers, > Thomas > > 2017-08-03 12:11 GMT+02:00 Marek Posolda <mposolda(a)redhat.com > <mailto:mposolda@redhat.com>>: > > +1 for filesystem. > > Marek > > > On 29/07/17 10:06, Thomas Darimont wrote: > > Okay cool. > > Instead of storing the password blacklist in the database I > could instead > just refer to a password > blacklist that lives on the file system. > > So Keycloak could ship with some of the lists from [0] and > refer to those > with a name like "default-blacklist1000", > "default-blacklist-100000" > in the BlacklistPasswordPolicy > config > within the admin-console. > > The "default-blacklist-100000" blacklist would then be mapped > and resolve > to > something like > "META-INF/password-blacklist/10_million_password_list_top_100000.txt". > > Users could provide their own blacklists with the provider > config stored in > standalone.xml > than could then be adjusted via jboss-cli. > > I think this filesystem based approach is better than having > to load and > store big text-blobs in the database. > > Cheers, > Thomas > > [0] > https://github.com/danielmiessler/SecLists/tree/master/Passwords > < https://github.com/danielmiessler/SecLists/tree/master/Passwords> > Using those password lists seems to be allowed according to > their license: > https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project > <https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project > > which is Creative Commons Attribution ShareAlike 3.0 License > -> IANAL but it seems to be useable in commercial products as well > https://creativecommons.org/licenses/by-sa/3.0/ > <https://creativecommons.org/licenses/by-sa/3.0/> > as long as the authors are mentioned. > > > 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke(a)redhat.com > <mailto:bburke@redhat.com>>: > > Yah, that sounds cool. > > > On 7/28/17 11:48 AM, Thomas Darimont wrote: > > Hello, > > I build a configurable Password Policy that allows to > match a given > password against > a blacklist with easy to guess passwords that should > be not allowed as > > user > > passwords. > > The 'BlacklistPasswordPolicyProvider' can be > configured via the admin UI > with a ";" delimited list of easy to guess passwords. > > If the user / or admin want's to change the password > it is checked > > against > > the blacklist. > A password list can be found here: > https://github.com/danielmiessler/SecLists/tree/master/Passwords > < https://github.com/danielmiessler/SecLists/tree/master/Passwords> > > A blacklist is of course not a perfect solution but > could still be useful > for some users. > > Password blacklist would be compiled to a trie at > startup (and on changes > of the blacklist) > for efficient lookups. > > WDYT? > > Cheers, > Thomas > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > <mailto:keycloak-dev@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-dev > <https://lists.jboss.org/mailman/listinfo/keycloak-dev> > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > <mailto:keycloak-dev@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-dev > <https://lists.jboss.org/mailman/listinfo/keycloak-dev> > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org <mailto: keycloak-dev(a)lists.jboss.org&gt; > https://lists.jboss.org/mailman/listinfo/keycloak-dev > <https://lists.jboss.org/mailman/listinfo/keycloak-dev> > > > > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev