[keycloak-user] extra password policy, interesting?

Thomas Darimont thomas.darimont at googlemail.com
Tue Sep 5 04:01:52 EDT 2017


Would you mind giving it a try?

Looking for feedback :)

Cheers,
Thomas

2017-09-05 9:51 GMT+02:00 lists <lists at merit.unu.edu>:

> Haha super!
>
> So we were not alone with our sudden interest in that feature :-)
>
> Thanks!
>
> MJ
>
> On 5-9-2017 9:35, Thomas Darimont wrote:
>
>> Hello,
>>
>> there is already a PR for that :)
>> https://github.com/keycloak/keycloak/pull/4370
>>
>> Cheers,
>> Thomas
>>
>> 2017-09-05 9:32 GMT+02:00 lists <lists at merit.unu.edu <mailto:
>> lists at merit.unu.edu>>:
>>
>>     Hi,
>>
>>     Recently we were under attack of a botnet, trying out passwords for
>> our
>>     accounts, and we learned a lot from it. :-)
>>
>>     We learned the kinds of passwords and variations that were tried, and
>>     how they were composed. Therefore, I would like to suggest an extra
>>     password policy: a list of forbidden words (like an expression
>>     blacklist)
>>
>>     We noticed that the botnet actually took often-occuring words from our
>>     website, and tried those for passwords, often adding things like: a
>>     year, or a part (subdomain or domain) of our email addresses.
>>     (username at subdomain.domain.com <mailto:username at subdomain.domain.com
>> >)
>>
>>     So, now we know what passwords are tried, but we have no way of
>>     prohibiting those passwords/terms. We can only ask our users not to
>> use
>>     those words in their passwords.
>>
>>     If we could define blacklisted words, that would help (us) a lot.
>>
>>     (and perhaps others too?)
>>
>>     MJ
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>


More information about the keycloak-user mailing list