Cloud-IAM | DOCS

Appearance

Password Policies

Overview

Within the realms of your Keycloak, you can configure password policy management for your users. This native feature allows you to secure user access to the various connected applications and enforce the use of strong passwords, among other security measures.

It is recommended to implement a password security policy that is tailored to the context and security objectives of your IT system.

Keycloak - Password Policies
Keycloak - Password Policy

List of native password policies on Keycloak

From Keycloak you can assign the following security requirements regarding password policies.

Password Content Restrictions

  • Password Blacklist: Prevents the use of a password that is in a blacklist file. (ie. 1234, password, etc.) more information here
  • Not Username: The password cannot match the username.
  • Not Email: The password cannot match the email address of the user.
  • Not Contains Username: The password cannot contain the username.
  • Not Recently Used: Prevents a recently used password from being reused.

Password Composition Requirements

  • Special Characters: The number of special characters required in the password string.
  • Uppercase Characters: The number of lowercase letters required in the password string.
  • Lowercase Characters: The number of uppercase letters required in the password string.
  • Digits: The number of numerical digits required in the password string.
  • Minimum Length: The minimum number of characters required for the password.
  • Maximum Length: The maximum number of characters allowed in the password.

Password Expiration and Reauthentication

  • Maximum Authentication Age: The maximum age of an authentication with which a password may be changed without re-authentication.
  • Expired Password: The number of days the password is valid before a new password is required.

Advanced Security Policies

  • Hashing Algorithm: Applies a hashing algorithm to passwords, so they are not stored in clear text. (argon2, pbkdf2-sha512, pbkdf2-sha256)
  • Hashing Iterations: The number of times a password is hashed before storage or verification. (argon2: 5, pbkdf2-sha512: 210.00, pbkdf2-sha256: 600.000)
  • Recovery Codes Warning Threshold: Minimum number of recovery codes left before a user is warned to generate new ones.
  • Regular Expression: Requires that the password matches one or more defined Java regular expression patterns.

Use cases

CIAM

Password policies are especially valuable in customer-facing applications (CIAM), particularly in industries where security is critical. In sectors such as banking, insurance, healthcare, and e-commerce, these policies play a crucial role in protecting access to sensitive data by enforcing rules that ensure user passwords are robust and resistant to compromise.

IAM

In business-to-business (B2B) scenarios, password policies are a critical component of a company's security strategy, essential for safeguarding access to corporate systems and sensitive information.

Pros & Cons

Pros

  • Enhanced security: Implementing a security policy increases user resistance to compromise, reducing the risk of unauthorized access.

Cons

  • User experience impact: The requirement to enter a strong password for example adds a symbolic extra step to the login process, potentially leading to user frustration and abandonment in CIAM.

Supported by Keycloak

Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.

Configuration

How to configure password policies on Keycloak

This tutorial offers a quick guide on configuring password policies for all users within a realm, helping you navigate Keycloak and effectively test the feature. For the tutorial we will apply the recommendations of the French Cybersecurity Agency (ANSSI).

This tutorial does not cover all the necessary security best practices for a complete configuration.

Keycloak console - Access password policy section

  1. Open your Keycloak
  2. Select your realm from the dropdown list (here: tutorial-demo)
  3. Click on Authentication (1.)
  4. Select Policies (2.)
  5. Then click on Password Policy(3.)
[Keycloak Console] - Access password policy section
[Keycloak Console] - Access password policy section

Keycloak console - Configure password policies

  1. From the dropdown list select :
  • Not Recently Used
  • Maximum Length
  • Minimum Length
  • Not Username
  • Not Email
  • Not Contains Username
  • Special Characters
  • Uppercase Characters
  • Lowercase Characters
  • Digits
  1. Change the value of Minimum Length to 12 (1.)
  2. Then click on Save (2.)
[Keycloak Console] - Configure password policies
[Keycloak Console] - Configure password policies

Keycloak register screen - Password Policies

During the first login authentication or for account creation, the user will have to follow the password policies, if he does not follow it he will not be able to complete the form.

[Keycloak register screen] - Account Creation
[Keycloak register screen] - Account Creation

Activate Password Blacklist on Cloud-IAM

Here are the tutorials to:

Resources