Hi,
Recently we were under attack of a botnet, trying out passwords for our
accounts, and we learned a lot from it. :-)
We learned the kinds of passwords and variations that were tried, and
how they were composed. Therefore, I would like to suggest an extra
password policy: a list of forbidden words (like an expression blacklist)
We noticed that the botnet actually took often-occuring words from our
website, and tried those for passwords, often adding things like: a
year, or a part (subdomain or domain) of our email addresses.
(username(a)subdomain.domain.com)
So, now we know what passwords are tried, but we have no way of
prohibiting those passwords/terms. We can only ask our users not to use
those words in their passwords.
If we could define blacklisted words, that would help (us) a lot.
(and perhaps others too?)
MJ
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user