# Keycloak

# Design

# Operation



# Understanding Password Policy with Keycloak and LDAP

## Keycloak Password Policy

<span class="wikiexternallink">[https://www.keycloak.org/docs/latest/server\_admin/index.html#\_password-policies](https://www.keycloak.org/docs/latest/server_admin/index.html#_password-policies)</span>

### Password Policy at Realm level

Keycloak Password Policy has to be configured at realm-level.

### Keycloak Password Policy Types

Kecloak provides the following Password Policies:

![grafik.png](https://wiki.linuxnet.ch/bin/download/Vendors/Keycloak/Operation/Understanding%20Password%20Policy%20with%20Keycloak%20and%20LDAP/WebHome/grafik.png?width=1022&height=475&rev=1.2)

<table border="1" id="bkmrk-policy-name-descript"><tbody><tr><th scope="col">Policy Name</th><th scope="col">Description</th></tr><tr><td>Expire Password</td><td>The number of days for which the password is valid.  
After the number of days has expired, the user is required to change their password</td></tr><tr><td>Hashing Iterations</td><td>This value specifies the number of times a password will be hashed before it is stored or verified.  
The default value is 27,500</td></tr><tr><td>Special Characters</td><td>The number of special characters like ‘?!#%$’ required to be in the password string</td></tr><tr><td>Not Recently Used</td><td>This policy saves a history of previous passwords.  
The number of old passwords stored is configurable.  
When a user changes their password they cannot use any stored passwords</td></tr><tr><td>Uppercase Characters</td><td>The number of upper case letters required to be in the password string</td></tr><tr><td>Lowercase Characters</td><td>The number of lower case letters required to be in the password string</td></tr><tr><td>Password Blacklist</td><td>This policy checks if a given password is contained in a blacklist file, which is potentially a very large file.  
Password blacklists are UTF-8 plain-text files with Unix line endings where every line represents a blacklisted password.  
The file name of the blacklist file must be provided as the password policy value, e.g. *10\_million\_password\_list\_top\_1000000.txt*.  
Blacklist files are resolved against ${jboss.server.data.dir}/password-blacklists/ by default.  
This path can be customized via the keycloak.password.blacklists.path system property, or the blacklistsPath property of the passwordBlacklist policy SPI configuration</td></tr><tr><td>Minimum Length</td><td>The minimum length of a password</td></tr><tr><td>Regular Expression</td><td>Define one or more Perl regular expression patterns that passwords must match</td></tr><tr><td>Digits</td><td>The number of digits required to be in the password string</td></tr><tr><td>Not Username</td><td>When set, the password is not allowed to be the same as the username</td></tr><tr><td>Hashing Algorithm</td><td>Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated.  
The only built-in and default algorithm available is PBKDF2.  
See the <span class="wikiexternallink">[Server Developer Guide](https://www.keycloak.org/docs/latest/server_development/)</span> on how to plug in your own algorithm.  
Note that if you do change the algorithm, password hashes will not change in storage until the next time the user logs in</td></tr></tbody></table>

## Link

Thank you for this summary: <span class="wikiexternallink">[https://www.janua.fr/understanding-password-policy-with-keycloak-and-ldap/](https://www.janua.fr/understanding-password-policy-with-keycloak-and-ldap/)</span>

# Troubleshooting

# Links & Tools