Skip to main content

Understanding Password Policy with Keycloak and LDAP

Keycloak Password Policy

https://www.keycloak.org/docs/latest/server_admin/index.html#_password-policies

Password Policy at Realm level

Keycloak Password Policy has to be configured at realm-level.

Keycloak Password Policy Types

Kecloak provides the following Password Policies:

grafik.png

Policy NameDescription
Expire PasswordThe number of days for which the password is valid.
After the number of days has expired, the user is required to change their password
Hashing IterationsThis value specifies the number of times a password will be hashed before it is stored or verified.
The default value is 27,500
Special CharactersThe number of special characters like ‘?!#%$’ required to be in the password string
Not Recently UsedThis policy saves a history of previous passwords.
The number of old passwords stored is configurable.
When a user changes their password they cannot use any stored passwords
Uppercase CharactersThe number of upper case letters required to be in the password string
Lowercase CharactersThe number of lower case letters required to be in the password string
Password BlacklistThis policy checks if a given password is contained in a blacklist file, which is potentially a very large file.
Password blacklists are UTF-8 plain-text files with Unix line endings where every line represents a blacklisted password.
The file name of the blacklist file must be provided as the password policy value, e.g. 10_million_password_list_top_1000000.txt.
Blacklist files are resolved against ${jboss.server.data.dir}/password-blacklists/ by default.
This path can be customized via the keycloak.password.blacklists.path system property, or the blacklistsPath property of the passwordBlacklist policy SPI configuration
Minimum LengthThe minimum length of a password
Regular ExpressionDefine one or more Perl regular expression patterns that passwords must match
DigitsThe number of digits required to be in the password string
Not UsernameWhen set, the password is not allowed to be the same as the username
Hashing AlgorithmPasswords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated.
The only built-in and default algorithm available is PBKDF2.
See the Server Developer Guide on how to plug in your own algorithm.
Note that if you do change the algorithm, password hashes will not change in storage until the next time the user logs in

Thank you for this summary: https://www.janua.fr/understanding-password-policy-with-keycloak-and-ldap/