Each new realm created has no password policies associated with it. This means users can have as short, as long, as complex, as insecure a password as they want. This is great for development or if you are just learning and playing around with Keycloak, but pretty much unacceptable in production environment. Keycloak has a rich set of password policies you can enable through the Admin Console.
Click on the
Authentication left menu item and go to the
Password Policy tab. Choose the policy you want to add in the
right side drop down list box. This will add the policy in the table on the screen. Choose the parameters for the policy.
Save button to store your changes.
After saving your policy, user registration and the Update Password required action will enforce your new policy. Here’s what it would look like if the user failed the policy check:
Unfortunately, users are not required to update their password if the password policy changes and there is no nice way of triggering an Update Password required action other than setting it manually for every user. This is scheduled as a future enhancement.
Password Policy Types
Here’s an explanation of each policy type:
Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated. The only built-in and default algorithm available is PBKDF2. See the Server Developer Guide on how to plug in your own algorithm. Note that if you do change the algorithm, password hashes will not change in storage until the next time the user logs in.
- Hashing Iterations
This value specifies the number of times a password will be hashed before it is stored or verified. The default value is 20,000. This hashing is done in the rare case that a hacker gets access to your password database. Once they have the database they can reverse engineer user passwords. The industry recommended value for this parameter changes every year as CPU power improves. The current recommended value is 20,000. Yes, 20,000 iterations! This is a very intensive CPU operation and with this high of a setting your servers are going to be spending most of their CPU power on hashing. You’ll have to weigh what is more important to you. Performance or protecting your passwords stores. There may be more cost effective ways of protecting your password stores.
How many digits are required to be in the password string?
- Lowercase Characters
How many lower case letters are required to be in the password string?
- Uppercase Characters
How many upper case letters are required to be in the password string?
- Special Characters
How many special characters like '?!#%$' are required to be in the password string?
- Not Username
When set, password is not allowed to be the same as the username.
- Regular Expression
Define a Perl regular expression pattern that passwords must match.
- Expire Password
How many days is a password valid for? After the number of days has expired, the user will be required to change their password.
- Not Recently Used
This policy saves a history of previous passwords. The number of old passwords stored is configurable. When a user changes their password they will not be able to re-use any password stored in history.