Skip to content

Best practices ​

Password blacklist ​

User password must be strong to ensure they can not easily found.

But as user might not realize the weakness of their password, a good practice is to define a password policy. This is a set of rule that a password much conform with.

You might also want to forbid the use of well-known password.

This is defined through a Password blacklist.

Password blacklist
Password blacklist

Cloud-IAM provides a file named top-10000.txt that contains the 10 000 most used password.

If needed, you can upload you own set of password blacklist.

Brute force detection ​

Brute force attacks can be used try multiple passwords for a user. The idea is to guess a user’s password by chance.

Keycloak has brute force detection capabilities and can temporarily disable a user account if the number of login failures exceeds a specified threshold.

This should be configured in the Realm settings > Security defenses > Brute force detection

Brute force detection configuration
Brute force detection configuration

However, this will not prevent your Keycloak from being flooded with attacks based on leaked user / password. This type of attack try to get a session with thousands of login / password pairs on the cluster.

This is based on the fact that user might reuse their password on multiple services.

Brute force detection won't help against that because each try uses a different username which cannot be spotted by Keycloak.

However, Cloud-IAM offers mitigation of this kind of attacks via active filtering of the user requests.