Hello, I just stumbled upon passay [0] which is comprehensive library for validating passwords against rule based policies and wanted to share my thoughts. Perhaps some of the contained rules [1] might be valuable additions to the existing password policies. One thing I particularly like is the differentiation between positive and negative matching rules which make it quite explicit and easy to express rules. E.g. instead of crafting a regex like "regex('^[^,&]+$')" to prohibit the use of characters like "," and "&", one could simply write: "illegalCharacters(',&')" Perhaps someone could also come up with a PassayPasswordPolicy provider which can be feed with a passay rule file (+ some Keycloak adapters to support Password history, blacklists) to validate a password. Cheers, Thomas [0] http://www.passay.org/ [1] http://www.passay.org/reference/