[keycloak-user] extra password policy, interesting?

lists lists at merit.unu.edu
Tue Sep 5 03:32:11 EDT 2017


Hi,

Recently we were under attack of a botnet, trying out passwords for our 
accounts, and we learned a lot from it. :-)

We learned the kinds of passwords and variations that were tried, and 
how they were composed. Therefore, I would like to suggest an extra 
password policy: a list of forbidden words (like an expression blacklist)

We noticed that the botnet actually took often-occuring words from our 
website, and tried those for passwords, often adding things like: a 
year, or a part (subdomain or domain) of our email addresses.
(username at subdomain.domain.com)

So, now we know what passwords are tried, but we have no way of 
prohibiting those passwords/terms. We can only ask our users not to use 
those words in their passwords.

If we could define blacklisted words, that would help (us) a lot.

(and perhaps others too?)

MJ


More information about the keycloak-user mailing list