[keycloak-dev] Blacklist Password Policy

Thomas Darimont thomas.darimont at googlemail.com
Fri Jul 28 14:52:33 EDT 2017


Hello,

just realized that I cannot store large strings as the value for the
password policy since
all password policy configurations are stored as a concatenated string in
the
password_policy column of the realm table which has a maximum capacity of
2550 characters :-/

Values look like:
"hashIterations and passwordHistory and passwordBlacklist(bubu;foo;bar;baz)"

One could change the column type to "text" which is "not limited" but I
think it would be
better to use something else for storing such values - the component_config
table perhaps?

Thoughts?

Thomas

2017-07-28 17:48 GMT+02:00 Thomas Darimont <thomas.darimont at googlemail.com>:

> Hello,
>
> I build a configurable Password Policy that allows to match a given
> password against
> a blacklist with easy to guess passwords that should be not allowed as
> user passwords.
>
> The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI
> with a ";" delimited list of easy to guess passwords.
>
> If the user / or admin want's to change the password it is checked against
> the blacklist.
> A password list can be found here:
> https://github.com/danielmiessler/SecLists/tree/master/Passwords
>
> A blacklist is of course not a perfect solution but could still be useful
> for some users.
>
> Password blacklist would be compiled to a trie at startup (and on changes
> of the blacklist)
> for efficient lookups.
>
> WDYT?
>
> Cheers,
> Thomas
>


More information about the keycloak-dev mailing list