[keycloak-user] extra password policy, interesting?
Thomas Darimont
thomas.darimont at googlemail.com
Tue Sep 5 04:01:52 EDT 2017
Would you mind giving it a try?
Looking for feedback :)
Cheers,
Thomas
2017-09-05 9:51 GMT+02:00 lists <lists at merit.unu.edu>:
> Haha super!
>
> So we were not alone with our sudden interest in that feature :-)
>
> Thanks!
>
> MJ
>
> On 5-9-2017 9:35, Thomas Darimont wrote:
>
>> Hello,
>>
>> there is already a PR for that :)
>> https://github.com/keycloak/keycloak/pull/4370
>>
>> Cheers,
>> Thomas
>>
>> 2017-09-05 9:32 GMT+02:00 lists <lists at merit.unu.edu <mailto:
>> lists at merit.unu.edu>>:
>>
>> Hi,
>>
>> Recently we were under attack of a botnet, trying out passwords for
>> our
>> accounts, and we learned a lot from it. :-)
>>
>> We learned the kinds of passwords and variations that were tried, and
>> how they were composed. Therefore, I would like to suggest an extra
>> password policy: a list of forbidden words (like an expression
>> blacklist)
>>
>> We noticed that the botnet actually took often-occuring words from our
>> website, and tried those for passwords, often adding things like: a
>> year, or a part (subdomain or domain) of our email addresses.
>> (username at subdomain.domain.com <mailto:username at subdomain.domain.com
>> >)
>>
>> So, now we know what passwords are tried, but we have no way of
>> prohibiting those passwords/terms. We can only ask our users not to
>> use
>> those words in their passwords.
>>
>> If we could define blacklisted words, that would help (us) a lot.
>>
>> (and perhaps others too?)
>>
>> MJ
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
More information about the keycloak-user
mailing list