[keycloak-dev] haveibeenpwned.com password policy provider

Thomas Darimont thomas.darimont at googlemail.com
Sun Jul 22 16:48:44 EDT 2018


Hello Keycloak Team,

yesterday I implemented a password policy provider [0] for Keycloak
which checks
if a given password is contained in the password breach database
haveibeenpwned.com.

The policy provider uses their range based password search API [1] which uses
a "k-Anonymity model" [2] which allows a password to be looked up by
partial hash.

The real password is never revealed to the service, only the first few bytes
of the SHA-1 hash is used for the search which then returns a list of
password hashes with
the given prefix.
Those hashes are then checked by the provider to see if the actual password was
contained in the database and how often it occurred.

Do you guys think that this could be something interesting to add to Keycloak?

Cheers,
Thomas

[0] https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-XXX-haveibeenpwned-password-policy
[1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
[2] https://en.wikipedia.org/wiki/K-anonymity


More information about the keycloak-dev mailing list