I just stumbled upon passay  which is comprehensive library for
validating passwords against rule based policies and wanted to share my
Perhaps some of the contained rules  might be valuable additions to the
existing password policies.
One thing I particularly like is the differentiation between positive
and negative matching rules which make it quite explicit and easy to
E.g. instead of crafting a regex like "regex('^[^,&]+$')" to
use of characters like "," and "&", one could simply write:
Perhaps someone could also come up with a PassayPasswordPolicy provider
which can be feed with a passay rule file (+ some Keycloak adapters to
Password history, blacklists) to validate a password.