[keycloak-dev] haveibeenpwned.com password policy provider

Chris Pitman cpitman at redhat.com
Sun Jul 22 18:26:35 EDT 2018


I personally think this is great. In many ways it covers the need for any
minimum complexity requirements, since most "obvious" passwords are in the
database if people use them. Also covers the much more common case now of
taking leaked passwords and attempting them on other sites.

On Sun, Jul 22, 2018 at 5:32 PM Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello Keycloak Team,
>
> yesterday I implemented a password policy provider [0] for Keycloak
> which checks
> if a given password is contained in the password breach database
> haveibeenpwned.com.
>
> The policy provider uses their range based password search API [1] which
> uses
> a "k-Anonymity model" [2] which allows a password to be looked up by
> partial hash.
>
> The real password is never revealed to the service, only the first few
> bytes
> of the SHA-1 hash is used for the search which then returns a list of
> password hashes with
> the given prefix.
> Those hashes are then checked by the provider to see if the actual
> password was
> contained in the database and how often it occurred.
>
> Do you guys think that this could be something interesting to add to
> Keycloak?
>
> Cheers,
> Thomas
>
> [0]
> https://github.com/thomasdarimont/keycloak/tree/issue/KEYCLOAK-XXX-haveibeenpwned-password-policy
> [1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
> [2] https://en.wikipedia.org/wiki/K-anonymity
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


-- 
Chris Pitman
Senior Architect, Red Hat Consulting


More information about the keycloak-dev mailing list