Re: [keycloak-user] extra password policy, interesting?

Haha super! So we were not alone with our sudden interest in that feature :-) Thanks! MJ On 5-9-2017 9:35, Thomas Darimont wrote: > Hello, > > there is already a PR for that :) > https://github.com/keycloak/keycloak/pull/4370 > > Cheers, > Thomas > > 2017-09-05 9:32 GMT+02:00 lists <lists(a)merit.unu.edu <mailto: > lists(a)merit.unu.edu&gt;&gt;: > > Hi, > > Recently we were under attack of a botnet, trying out passwords for > our > accounts, and we learned a lot from it. :-) > > We learned the kinds of passwords and variations that were tried, and > how they were composed. Therefore, I would like to suggest an extra > password policy: a list of forbidden words (like an expression > blacklist) > > We noticed that the botnet actually took often-occuring words from our > website, and tried those for passwords, often adding things like: a > year, or a part (subdomain or domain) of our email addresses. > (username(a)subdomain.domain.com <mailto:username@subdomain.domain.com > >) > > So, now we know what passwords are tried, but we have no way of > prohibiting those passwords/terms. We can only ask our users not to > use > those words in their passwords. > > If we could define blacklisted words, that would help (us) a lot. > > (and perhaps others too?) > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > <https://lists.jboss.org/mailman/listinfo/keycloak-user> > > >