[keycloak-user] extra password policy, interesting?
Thomas Darimont
thomas.darimont at googlemail.com
Tue Sep 5 03:35:31 EDT 2017
Hello,
there is already a PR for that :)
https://github.com/keycloak/keycloak/pull/4370
Cheers,
Thomas
2017-09-05 9:32 GMT+02:00 lists <lists at merit.unu.edu>:
> Hi,
>
> Recently we were under attack of a botnet, trying out passwords for our
> accounts, and we learned a lot from it. :-)
>
> We learned the kinds of passwords and variations that were tried, and
> how they were composed. Therefore, I would like to suggest an extra
> password policy: a list of forbidden words (like an expression blacklist)
>
> We noticed that the botnet actually took often-occuring words from our
> website, and tried those for passwords, often adding things like: a
> year, or a part (subdomain or domain) of our email addresses.
> (username at subdomain.domain.com)
>
> So, now we know what passwords are tried, but we have no way of
> prohibiting those passwords/terms. We can only ask our users not to use
> those words in their passwords.
>
> If we could define blacklisted words, that would help (us) a lot.
>
> (and perhaps others too?)
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list