[keycloak-dev] Blacklist Password Policy
Bruno Oliveira
bruno at abstractj.org
Thu Aug 10 07:03:57 EDT 2017
In order to not miss this, I just created the following jiras:
https://issues.jboss.org/browse/KEYCLOAK-5275
https://issues.jboss.org/browse/KEYCLOAK-5276
On Wed, Aug 9, 2017 at 5:06 PM Bruno Oliveira <bruno at abstractj.org> wrote:
> A little bit late for the discussion, but today I was looking into this
> http://www.kitploit.com/2017/08/jwt-cracker-simple-hs256-jwt-token.html and
> wondering if we would be interesting to provide the same for client
> secrets. Just to prevent weak secrets.
>
> Of course this is out of the scope for this implementation. But maybe a
> nice to have.
>
> On Thu, Aug 3, 2017 at 11:31 AM Marek Posolda <mposolda at redhat.com> wrote:
>
>> My vote is to throw an error if password list cannot be found on the
>> filesystem. IMO it would be bad if admin has an impression that he just
>> successfully configured blacklist password policy even if it doesn't
>> work in reality. There should be rather error thrown, so admin is aware
>> that it doesn't work.
>>
>> However the biggest issue with the PR is another dependency as Hynek
>> pointed in PR and me in other thread.
>>
>> Marek
>>
>>
>> On 03/08/17 12:28, Thomas Darimont wrote:
>> > Hello,
>> >
>> > great that's just what I built :) here is the PR:
>> > https://github.com/keycloak/keycloak/pull/4370
>> >
>> > I'm not sure about the error handling if a configured password list
>> > cannot be found on the filesystem.
>> >
>> https://github.com/keycloak/keycloak/pull/4370/files#diff-91236e069747f156edbd2c282fec8d92R78
>> >
>> > Looking forward to your feedback :)
>> >
>> > Cheers,
>> > Thomas
>> >
>> > 2017-08-03 12:11 GMT+02:00 Marek Posolda <mposolda at redhat.com
>> > <mailto:mposolda at redhat.com>>:
>> >
>> > +1 for filesystem.
>> >
>> > Marek
>> >
>> >
>> > On 29/07/17 10:06, Thomas Darimont wrote:
>> >
>> > Okay cool.
>> >
>> > Instead of storing the password blacklist in the database I
>> > could instead
>> > just refer to a password
>> > blacklist that lives on the file system.
>> >
>> > So Keycloak could ship with some of the lists from [0] and
>> > refer to those
>> > with a name like "default-blacklist1000",
>> > "default-blacklist-100000"
>> > in the BlacklistPasswordPolicy
>> > config
>> > within the admin-console.
>> >
>> > The "default-blacklist-100000" blacklist would then be mapped
>> > and resolve
>> > to
>> > something like
>> >
>> "META-INF/password-blacklist/10_million_password_list_top_100000.txt".
>> >
>> > Users could provide their own blacklists with the provider
>> > config stored in
>> > standalone.xml
>> > than could then be adjusted via jboss-cli.
>> >
>> > I think this filesystem based approach is better than having
>> > to load and
>> > store big text-blobs in the database.
>> >
>> > Cheers,
>> > Thomas
>> >
>> > [0]
>> >
>> https://github.com/danielmiessler/SecLists/tree/master/Passwords
>> > <
>> https://github.com/danielmiessler/SecLists/tree/master/Passwords>
>> > Using those password lists seems to be allowed according to
>> > their license:
>> > https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project
>> > <
>> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project>
>> > which is Creative Commons Attribution ShareAlike 3.0 License
>> > -> IANAL but it seems to be useable in commercial products as
>> well
>> > https://creativecommons.org/licenses/by-sa/3.0/
>> > <https://creativecommons.org/licenses/by-sa/3.0/>
>> > as long as the authors are mentioned.
>> >
>> >
>> > 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com
>> > <mailto:bburke at redhat.com>>:
>> >
>> > Yah, that sounds cool.
>> >
>> >
>> > On 7/28/17 11:48 AM, Thomas Darimont wrote:
>> >
>> > Hello,
>> >
>> > I build a configurable Password Policy that allows to
>> > match a given
>> > password against
>> > a blacklist with easy to guess passwords that should
>> > be not allowed as
>> >
>> > user
>> >
>> > passwords.
>> >
>> > The 'BlacklistPasswordPolicyProvider' can be
>> > configured via the admin UI
>> > with a ";" delimited list of easy to guess passwords.
>> >
>> > If the user / or admin want's to change the password
>> > it is checked
>> >
>> > against
>> >
>> > the blacklist.
>> > A password list can be found here:
>> >
>> https://github.com/danielmiessler/SecLists/tree/master/Passwords
>> > <
>> https://github.com/danielmiessler/SecLists/tree/master/Passwords>
>> >
>> > A blacklist is of course not a perfect solution but
>> > could still be useful
>> > for some users.
>> >
>> > Password blacklist would be compiled to a trie at
>> > startup (and on changes
>> > of the blacklist)
>> > for efficient lookups.
>> >
>> > WDYT?
>> >
>> > Cheers,
>> > Thomas
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > <mailto:keycloak-dev at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > <mailto:keycloak-dev at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org <mailto:
>> keycloak-dev at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>> >
>> >
>> >
>> >
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
More information about the keycloak-dev
mailing list