[keycloak-dev] Blacklist Password Policy
Bruno Oliveira
bruno at abstractj.org
Wed Aug 9 16:06:22 EDT 2017
A little bit late for the discussion, but today I was looking into this
http://www.kitploit.com/2017/08/jwt-cracker-simple-hs256-jwt-token.html and
wondering if we would be interesting to provide the same for client
secrets. Just to prevent weak secrets.
Of course this is out of the scope for this implementation. But maybe a
nice to have.
On Thu, Aug 3, 2017 at 11:31 AM Marek Posolda <mposolda at redhat.com> wrote:
> My vote is to throw an error if password list cannot be found on the
> filesystem. IMO it would be bad if admin has an impression that he just
> successfully configured blacklist password policy even if it doesn't
> work in reality. There should be rather error thrown, so admin is aware
> that it doesn't work.
>
> However the biggest issue with the PR is another dependency as Hynek
> pointed in PR and me in other thread.
>
> Marek
>
>
> On 03/08/17 12:28, Thomas Darimont wrote:
> > Hello,
> >
> > great that's just what I built :) here is the PR:
> > https://github.com/keycloak/keycloak/pull/4370
> >
> > I'm not sure about the error handling if a configured password list
> > cannot be found on the filesystem.
> >
> https://github.com/keycloak/keycloak/pull/4370/files#diff-91236e069747f156edbd2c282fec8d92R78
> >
> > Looking forward to your feedback :)
> >
> > Cheers,
> > Thomas
> >
> > 2017-08-03 12:11 GMT+02:00 Marek Posolda <mposolda at redhat.com
> > <mailto:mposolda at redhat.com>>:
> >
> > +1 for filesystem.
> >
> > Marek
> >
> >
> > On 29/07/17 10:06, Thomas Darimont wrote:
> >
> > Okay cool.
> >
> > Instead of storing the password blacklist in the database I
> > could instead
> > just refer to a password
> > blacklist that lives on the file system.
> >
> > So Keycloak could ship with some of the lists from [0] and
> > refer to those
> > with a name like "default-blacklist1000",
> > "default-blacklist-100000"
> > in the BlacklistPasswordPolicy
> > config
> > within the admin-console.
> >
> > The "default-blacklist-100000" blacklist would then be mapped
> > and resolve
> > to
> > something like
> >
> "META-INF/password-blacklist/10_million_password_list_top_100000.txt".
> >
> > Users could provide their own blacklists with the provider
> > config stored in
> > standalone.xml
> > than could then be adjusted via jboss-cli.
> >
> > I think this filesystem based approach is better than having
> > to load and
> > store big text-blobs in the database.
> >
> > Cheers,
> > Thomas
> >
> > [0]
> > https://github.com/danielmiessler/SecLists/tree/master/Passwords
> > <
> https://github.com/danielmiessler/SecLists/tree/master/Passwords>
> > Using those password lists seems to be allowed according to
> > their license:
> > https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project
> > <https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project
> >
> > which is Creative Commons Attribution ShareAlike 3.0 License
> > -> IANAL but it seems to be useable in commercial products as
> well
> > https://creativecommons.org/licenses/by-sa/3.0/
> > <https://creativecommons.org/licenses/by-sa/3.0/>
> > as long as the authors are mentioned.
> >
> >
> > 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>>:
> >
> > Yah, that sounds cool.
> >
> >
> > On 7/28/17 11:48 AM, Thomas Darimont wrote:
> >
> > Hello,
> >
> > I build a configurable Password Policy that allows to
> > match a given
> > password against
> > a blacklist with easy to guess passwords that should
> > be not allowed as
> >
> > user
> >
> > passwords.
> >
> > The 'BlacklistPasswordPolicyProvider' can be
> > configured via the admin UI
> > with a ";" delimited list of easy to guess passwords.
> >
> > If the user / or admin want's to change the password
> > it is checked
> >
> > against
> >
> > the blacklist.
> > A password list can be found here:
> >
> https://github.com/danielmiessler/SecLists/tree/master/Passwords
> > <
> https://github.com/danielmiessler/SecLists/tree/master/Passwords>
> >
> > A blacklist is of course not a perfect solution but
> > could still be useful
> > for some users.
> >
> > Password blacklist would be compiled to a trie at
> > startup (and on changes
> > of the blacklist)
> > for efficient lookups.
> >
> > WDYT?
> >
> > Cheers,
> > Thomas
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > <mailto:keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > <mailto:keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org <mailto:
> keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >
> >
> >
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list