Passwords should only be rehashed if the algorithm or hashing iterations change. They should not be re-hashed periodically and certainly for every login. This is a bug. On 23 June 2017 at 15:10, Hynek Mlnarik <hmlnarik(a)redhat.com&gt; wrote: > > The o.k.credential.PasswordCredentialProvider.isValid() method in its > end [1] rehashes and stores the credentials upon successful > authentication. This has benefits in that whenever hashing algorithm > or policy changes (e.g. number of iterations), after a login the user > password would be stored again. If nothing changes, the password is at > least rehashed with another salt. Actually, as the password > policy/algorithm usually does not change too often, it also induces > unnecessary network traffic: because a user invalidation sent to other > nodes in cluster (and other DCs) after each successful login. > > One way to mitigate the issue is to invalidate the current encoded > password only if the variant encoded using the same salt as original > password and current password policy is different to the stored one. > If occasional rehashing would be a must, it would be possible to > update credentials after login with new hash only once in a given > period of time (e.g. at most weekly, this can be determined from the > password created date). > > WDYT? > > --Hynek > > [1] > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev