Re: [keycloak-user] extra password policy, interesting?

Hello, there is already a PR for that :) https://github.com/keycloak/keycloak/pull/4370 Cheers, Thomas 2017-09-05 9:32 GMT+02:00 lists <lists(a)merit.unu.edu <mailto:lists@merit.unu.edu>>: Hi, Recently we were under attack of a botnet, trying out passwords for our accounts, and we learned a lot from it. :-) We learned the kinds of passwords and variations that were tried, and how they were composed. Therefore, I would like to suggest an extra password policy: a list of forbidden words (like an expression blacklist) We noticed that the botnet actually took often-occuring words from our website, and tried those for passwords, often adding things like: a year, or a part (subdomain or domain) of our email addresses. (username(a)subdomain.domain.com <mailto:username@subdomain.domain.com>) So, now we know what passwords are tried, but we have no way of prohibiting those passwords/terms. We can only ask our users not to use those words in their passwords. If we could define blacklisted words, that would help (us) a lot. (and perhaps others too?) MJ _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>