Password Blacklist on Keycloak
Overview
Keycloak provides a built-in feature that allows administrators to enforce a password blacklist (also called a Password Deny List) using a .txt file. This mechanism ensures that certain weak, commonly used, or compromised passwords are disallowed during user registration or password updates.
By preventing the use of insecure passwords, password blacklists add an extra layer of protection to your authentication system.
Managed Keycloak Context
In Cloud-IAM managed Keycloak deployments, customer do not have direct access to the Keycloak server to manually configure custom password restrictions.
Instead, Cloud-IAM provides an integrated way to manage password blacklists directly through the Cloud-IAM Console.
Learn more by following the dedicated Password Blacklist How-to Guide.
Use Cases
IAM (Identity and Access Management)
For internal IAM scenarios, password deny lists help protect sensitive accounts—such as those belonging to administrators or employees—against weak or predictable passwords. This improves the overall security posture of your organization’s internal applications and systems.
CIAM (Customer Identity and Access Management)
For customer-facing applications, password blacklists prevent end-users from selecting already compromised or overly simple passwords. This approach:
- Reduces the risk of account takeover,
- Protects customer data,
- Enhances trust by promoting secure onboarding practices, while still maintaining a smooth user experience.
Pros & Cons
Pros
- Enhanced Security: Prevents users from choosing weak, common, or compromised passwords.
- Compliance: Helps meet security standards and regulatory requirements (e.g., NIST, ANSSI, OWASP) that recommend avoiding common passwords.
- Reduced Risk of Breaches: Lowers the chances of account compromise due to credential stuffing or password reuse attacks.
- Improved User Trust: Demonstrates proactive security measures, reassuring users that their accounts are better protected.
Cons
- User Frustration: Users may become frustrated if their chosen password is rejected, especially if the blacklist is extensive.
- Management Overhead: Maintaining an up-to-date deny list requires monitoring for new leaks and regularly updating the blacklist.
- Onboarding Impact: May slightly slow down the registration or password reset process if users repeatedly attempt disallowed passwords.
Supported by Keycloak
Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.
Configuration
How to Configure Password Blacklist on a Keycloak Realm
This step-by-step guide explains how to enable the Password Blacklist feature on your Keycloak realm. By doing so, you can define a list of disallowed passwords that users cannot use during registration or password updates.
For this tutorial, we assume that you have already uploaded your password blacklist file into your Keycloak $KC_HOME/data/password-blacklists/ folder.
This tutorial does not cover all the necessary security best practices for a complete configuration.
How to activate your list on Keycloak
- Login to your Keycloak as an admin
- Select the realm where you want to apply the password blacklist
- Click on
Authentication - Select
Policies - Click on
Password Policy - From the drop-down, select
Password Blacklist - Paste your list name (e.g. acme-v1.0.txt)
- Then click on
Save
Your custom password blacklist is now active in Keycloak.
Your Keycloak realm is now protected with brute force detection, helping to safeguard user accounts against repeated unauthorized login attempts.