[keycloak-user] extra password policy, interesting?

lists lists at merit.unu.edu
Tue Sep 5 03:51:07 EDT 2017


Haha super!

So we were not alone with our sudden interest in that feature :-)

Thanks!

MJ

On 5-9-2017 9:35, Thomas Darimont wrote:
> Hello,
> 
> there is already a PR for that :)
> https://github.com/keycloak/keycloak/pull/4370
> 
> Cheers,
> Thomas
> 
> 2017-09-05 9:32 GMT+02:00 lists <lists at merit.unu.edu 
> <mailto:lists at merit.unu.edu>>:
> 
>     Hi,
> 
>     Recently we were under attack of a botnet, trying out passwords for our
>     accounts, and we learned a lot from it. :-)
> 
>     We learned the kinds of passwords and variations that were tried, and
>     how they were composed. Therefore, I would like to suggest an extra
>     password policy: a list of forbidden words (like an expression
>     blacklist)
> 
>     We noticed that the botnet actually took often-occuring words from our
>     website, and tried those for passwords, often adding things like: a
>     year, or a part (subdomain or domain) of our email addresses.
>     (username at subdomain.domain.com <mailto:username at subdomain.domain.com>)
> 
>     So, now we know what passwords are tried, but we have no way of
>     prohibiting those passwords/terms. We can only ask our users not to use
>     those words in their passwords.
> 
>     If we could define blacklisted words, that would help (us) a lot.
> 
>     (and perhaps others too?)
> 
>     MJ
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 


More information about the keycloak-user mailing list