3:48 p.m.
Hello Keycloak Team,
yesterday I implemented a password policy provider [0] for Keycloak
which checks
if a given password is contained in the password breach database
haveibeenpwned.com.
The policy provider uses their range based password search API [1] which uses
a "k-Anonymity model" [2] which allows a password to be looked up by
partial hash.
The real password is never revealed to the service, only the first few bytes
of the SHA-1 hash is used for the search which then returns a list of
password hashes with
the given prefix.
Those hashes are then checked by the provider to see if the actual password was
contained in the database and how often it occurred.
Do you guys think that this could be something interesting to add to Keycloak?
Cheers,
Thomas
[0]
https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-XXX-haveib...
[1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
[2] https://en.wikipedia.org/wiki/K-anonymity
5:26 p.m.
I personally think this is great. In many ways it covers the need for any
minimum complexity requirements, since most "obvious" passwords are in the
database if people use them. Also covers the much more common case now of
taking leaked passwords and attempting them on other sites.
On Sun, Jul 22, 2018 at 5:32 PM Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hello Keycloak Team,
yesterday I implemented a password policy provider [0] for Keycloak
which checks
if a given password is contained in the password breach database
haveibeenpwned.com.
The policy provider uses their range based password search API [1] which
uses
a "k-Anonymity model" [2] which allows a password to be looked up by
partial hash.
The real password is never revealed to the service, only the first few
bytes
of the SHA-1 hash is used for the search which then returns a list of
password hashes with
the given prefix.
Those hashes are then checked by the provider to see if the actual
password was
contained in the database and how often it occurred.
Do you guys think that this could be something interesting to add to
Keycloak?
Cheers,
Thomas
[0]
https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-XXX-haveib...
[1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
[2] https://en.wikipedia.org/wiki/K-anonymity
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Chris Pitman
Senior Architect, Red Hat Consulting
12:26 p.m.
This is interesting, but I am not 100% sure if it's something to be
supported in Keycloak OOTB. Every built-in provider adds some
complexity, needs of maintenance/refactoring etc. Maybe something to be
added to our extensions page [1] ?
[1] https://www.keycloak.org/extensions.html
Marek
On 23/07/18 00:26, Chris Pitman wrote:
I personally think this is great. In many ways it covers the need for
any
minimum complexity requirements, since most "obvious" passwords are in the
database if people use them. Also covers the much more common case now of
taking leaked passwords and attempting them on other sites.
On Sun, Jul 22, 2018 at 5:32 PM Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hello Keycloak Team,
>
> yesterday I implemented a password policy provider [0] for Keycloak
> which checks
> if a given password is contained in the password breach database
> haveibeenpwned.com.
>
> The policy provider uses their range based password search API [1] which
> uses
> a "k-Anonymity model" [2] which allows a password to be looked up by
> partial hash.
>
> The real password is never revealed to the service, only the first few
> bytes
> of the SHA-1 hash is used for the search which then returns a list of
> password hashes with
> the given prefix.
> Those hashes are then checked by the provider to see if the actual
> password was
> contained in the database and how often it occurred.
>
> Do you guys think that this could be something interesting to add to
> Keycloak?
>
> Cheers,
> Thomas
>
> [0]
>
https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-XXX-haveib...
> [1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
> [2] https://en.wikipedia.org/wiki/K-anonymity
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
2346
days inactive
2349
days old
2 comments
3 participants
participants (3)
-
Chris Pitman -
Marek Posolda -
Thomas Darimont