[keycloak-user] extra password policy, interesting?

Hi, Recently we were under attack of a botnet, trying out passwords for our accounts, and we learned a lot from it. :-) We learned the kinds of passwords and variations that were tried, and how they were composed. Therefore, I would like to suggest an extra password policy: a list of forbidden words (like an expression blacklist) We noticed that the botnet actually took often-occuring words from our website, and tried those for passwords, often adding things like: a year, or a part (subdomain or domain) of our email addresses. (username(a)subdomain.domain.com) So, now we know what passwords are tried, but we have no way of prohibiting those passwords/terms. We can only ask our users not to use those words in their passwords. If we could define blacklisted words, that would help (us) a lot. (and perhaps others too?) MJ