[keycloak-user] Block change of new passwords for configurable number of days

Richard Lavallee rllavallee at hotmail.com
Tue Apr 19 19:45:26 EDT 2016 

Added "Block change of new passwords for configurable number of days":  https://issues.jboss.org/browse/KEYCLOAK-2843
-Richard Lavallee

Date: Thu, 14 Apr 2016 12:09:43 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: guus.der.kinderen at gmail.com
To: stian at redhat.com
CC: rllavallee at hotmail.com; keycloak-user at lists.jboss.org

JIRA issue for common password check: https://issues.jboss.org/browse/KEYCLOAK-2822
On 14 April 2016 at 08:08, Stian Thorgersen <sthorger at redhat.com> wrote:


On 13 April 2016 at 21:48, Richard Lavallee <rllavallee at hotmail.com> wrote:



I appreciate your patience, Stian,is the below list also supported by Keycloak?

Do you want to enable password aging?YesNo
Yes Select the number of days before password must be changed.30354045505560657075808590
Yes Do you want to enable session timeouts?YesNo
Yes Enforce password complexity rulesYesNo
Depends what the rules are ;) Minimum password length0 (Disabled)4812
Yes Block reuse of how many recent passwords0 (Disabled)61224
Yes Block change of new passwords for how many days?0 (Disabled)153045
No, you can create a JIRA for this one though Force change of new account passwords on first login?YesNo
Yes Select amount of time before session will be terminated.15304560
Yes Do you want to check for common passwords?YesNo
No, we really should have this one. JIRA please Inactivate user after how many days of inactivity?Never306090120

Yes Number of failed login attempts to allow before temporary lockout0 (Disabled)35
Yes Number of minutes to block user after failed login attempts0 Min15 Min30 Min60 Min
Yes 

Date: Wed, 13 Apr 2016 20:47:37 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger at redhat.com
To: rllavallee at hotmail.com
CC: stian at redhat.com; keycloak-user at lists.jboss.org

Nope, that one is not there. You can add a jira request for it.
On 13 Apr 2016 20:46, "Richard Lavallee" <rllavallee at hotmail.com> wrote:



Is the below policy supported in Keycloak?  If not can it be done in some custom way?
You are only allowed to change your password every 30 days

Date: Wed, 13 Apr 2016 20:42:20 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger at redhat.com
To: rllavallee at hotmail.com
CC: stian at redhat.com; keycloak-user at lists.jboss.org

Sure, but it would be a rather lengthy one.
On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee at hotmail.com> wrote:



Thanks.  But even for repetitive letters such as "aaaa"I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes?

Date: Wed, 13 Apr 2016 06:47:09 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger at redhat.com
To: rllavallee at hotmail.com
CC: keycloak-user at lists.jboss.org

That'd do it. I got confused and thought you didn't want to repetitive letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee at hotmail.com> wrote:



Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. 
Wouldn't the below suffice for regex?  Thus avoiding needing custom work for the short-term?
forward  = "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",    backward = "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",    regex    = "(" + forward + "|" + backward + ")+"; 

Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger at redhat.com
To: rllavallee at hotmail.com
CC: keycloak-user at lists.jboss.org



On 11 April 2016 at 20:49, Richard Lavallee <rllavallee at hotmail.com> wrote:



Does Keycloak support the following requirements?
Password:Password should be changed in every 60 days (configurable)Yes If user enters password wrong three times account is locked out for 15 min (configurable)Yes Password chosen should not be previous 24 passwordsYes Password should have a letter and a numberYes Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though.
Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes, you can configure idle timeout for a session. Idle for a session is if there are no app logins or token refreshes Account inactivity - account inactivity is 30 days default (configurable)Yes 
-Richard


 		 	   		   		 	   		   		 	   		  

_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user

 		 	   		  

 		 	   		  
 		 	   		  
 		 	   		  



_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160419/3ba4222d/attachment-0001.html

More information about the keycloak-user mailing list