Understanding Password Policy with Keycloak and LDAP

Keycloak Password Policy

Password Policy at Realm level

Keycloak Password Policy has to be configured at realm-level.

Keycloak Password Policy Types

Kecloak provides the following Password Policies:


Policy Name Description
Expire Password The number of days for which the password is valid.
After the number of days has expired, the user is required to change their password
Hashing Iterations This value specifies the number of times a password will be hashed before it is stored or verified.
The default value is 27,500
Special Characters The number of special characters like ‘?!#%$’ required to be in the password string
Not Recently Used This policy saves a history of previous passwords.
The number of old passwords stored is configurable.
When a user changes their password they cannot use any stored passwords
Uppercase Characters The number of upper case letters required to be in the password string
Lowercase Characters The number of lower case letters required to be in the password string
Password Blacklist This policy checks if a given password is contained in a blacklist file, which is potentially a very large file.
Password blacklists are UTF-8 plain-text files with Unix line endings where every line represents a blacklisted password.
The file name of the blacklist file must be provided as the password policy value, e.g. 10_million_password_list_top_1000000.txt.
Blacklist files are resolved against ${}/password-blacklists/ by default.
This path can be customized via the keycloak.password.blacklists.path system property, or the blacklistsPath property of the passwordBlacklist policy SPI configuration
Minimum Length The minimum length of a password
Regular Expression Define one or more Perl regular expression patterns that passwords must match
Digits The number of digits required to be in the password string
Not Username When set, the password is not allowed to be the same as the username
Hashing Algorithm Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated.
The only built-in and default algorithm available is PBKDF2.
See the Server Developer Guide on how to plug in your own algorithm.
Note that if you do change the algorithm, password hashes will not change in storage until the next time the user logs in

Thank you for this summary:


Links & Tools