keycloak-scim/docs/documentation/server_admin/topics/authentication/password-policies.adoc


[[_password-policies]]

=== Password policies

When {project_name} creates a realm, it does not associate password policies with the realm. You can set a simple password with no restrictions on its length, security, or complexity. Simple passwords are unacceptable in production environments. {project_name} has a set of password policies available through the Admin Console.

.Procedure
. Click *Authentication* in the menu.
. Click the *Policies* tab.
. Select the policy to add in the *Add policy* drop-down box.
. Enter a value that applies to the policy chosen.
. Click *Save*.
+
Password policy
image:images/password-policy.png[Password Policy]

After saving the policy, {project_name} enforces the policy for new users.

[NOTE]
====
The new policy will not be effective for existing users. Therefore, make sure that you set the password policy from the beginning of the realm creation or add "Update password" to existing users  or use "Expire password" to make sure that users update their passwords in next "N" days, which will actually adjust to new password policies.
====

==== Password policy types

===== HashAlgorithm

Passwords are not stored in cleartext. Before storage or validation, {project_name} hashes passwords using standard hashing algorithms. PBKDF2 is the only built-in and default algorithm available. See the link:{developerguide_link}[{developerguide_name}] on how to add your own hashing algorithm.

[NOTE]
====
If you change the hashing algorithm, password hashes in storage will not change until the user logs in.
====

===== Hashing iterations
Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 27,500.

{project_name} hashes passwords to ensure that hostile actors with access to the password database cannot read passwords through reverse engineering.

[NOTE]
====
A high hashing iteration value can impact performance as it requires higher CPU power.
====

===== Digits

The number of numerical digits required in the password string.

===== Lowercase characters

The number of lower case letters required in the password string.

===== Uppercase characters

The number of upper case letters required in the password string.

===== Special characters

The number of special characters required in the password string.

===== Not username

The password cannot be the same as the username.

===== Not email

The password cannot be the same as the email address of the user.

===== Regular expression

Password must match one or more defined regular expression patterns.

===== Expire password

The number of days the password is valid. When the number of days has expired, the user must change their password.

===== Not recently used

Password cannot be already used by the user. {project_name} stores a history of used passwords. The number of old passwords stored is configurable in {project_name}.

===== Password blacklist
Password must not be in a blacklist file.

* Blacklist files are UTF-8 plain-text files with Unix line endings. Every line represents a blacklisted password.
* {project_name} compares passwords in a case-insensitive manner. All passwords in the blacklist must be lowercase.
* The value of the blacklist file must be the name of the blacklist file, for example, `100k_passwords.txt`.
* Blacklist files resolve against `+${kc.home.dir}/data/password-blacklists/+` by default. Customize this path using:
** The `keycloak.password.blacklists.path` system property.
** The `blacklistsPath` property of the `passwordBlacklist` policy SPI configuration. To configure the blacklist folder using the CLI, use `--spi-password-policy-password-blacklist-blacklists-path=/path/to/blacklistsFolder`.

.A note about False Positives

The current implementation uses a BloomFilter for fast and memory efficient containment checks, such as whether a given password is contained in a blacklist, with the possibility for false positives.

* By default a false positive probability of `0.01%` is used.
* To change the false positive probability by CLI configuration, use `--spi-password-policy-password-blacklist-false-positive-probability=0.00001`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
threat 2016-05-31 22:00:59 +00:00			`[[_password-policies]]`
password policy 2016-05-17 14:28:54 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`=== Password policies`
password policy 2016-05-17 14:28:54 +00:00
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`When {project_name} creates a realm, it does not associate password policies with the realm. You can set a simple password with no restrictions on its length, security, or complexity. Simple passwords are unacceptable in production environments. {project_name} has a set of password policies available through the Admin Console.`
password policy 2016-05-17 14:28:54 +00:00
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`.Procedure`
			`. Click Authentication in the menu.`
Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. Click the Policies tab.`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`. Select the policy to add in the Add policy drop-down box.`
Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. Enter a value that applies to the policy chosen.`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`. Click Save.`
			`+`
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`Password policy`
Preparing Server Admin Guide for RHBK (#1690) Closes #1688 2022-10-05 18:43:15 +00:00			`image:images/password-policy.png[Password Policy]`
password policy 2016-05-17 14:28:54 +00:00
Incorrect documentation around password policies (#19364) closes #19363 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2023-03-29 08:09:40 +00:00			`After saving the policy, {project_name} enforces the policy for new users.`
password policy 2016-05-17 14:28:54 +00:00
Incorrect documentation around password policies (#19364) closes #19363 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2023-03-29 08:09:40 +00:00			`[NOTE]`
			`====`
			`The new policy will not be effective for existing users. Therefore, make sure that you set the password policy from the beginning of the realm creation or add "Update password" to existing users or use "Expire password" to make sure that users update their passwords in next "N" days, which will actually adjust to new password policies.`
			`====`
password policy 2016-05-17 14:28:54 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`==== Password policy types`
password policy 2016-05-17 14:28:54 +00:00
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`===== HashAlgorithm`
password policy 2016-05-17 14:28:54 +00:00
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`Passwords are not stored in cleartext. Before storage or validation, {project_name} hashes passwords using standard hashing algorithms. PBKDF2 is the only built-in and default algorithm available. See the link:{developerguide_link}[{developerguide_name}] on how to add your own hashing algorithm.`

			`[NOTE]`
			`====`
			`If you change the hashing algorithm, password hashes in storage will not change until the user logs in.`
			`====`
password policy 2016-05-17 14:28:54 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Hashing iterations`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 27,500.`

			`{project_name} hashes passwords to ensure that hostile actors with access to the password database cannot read passwords through reverse engineering.`

			`[NOTE]`
			`====`
			`A high hashing iteration value can impact performance as it requires higher CPU power.`
			`====`

			`===== Digits`

			`The number of numerical digits required in the password string.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Lowercase characters`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The number of lower case letters required in the password string.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Uppercase characters`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The number of upper case letters required in the password string.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Special characters`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The number of special characters required in the password string.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Not username`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The password cannot be the same as the username.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Not email`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The password cannot be the same as the email address of the user.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Regular expression`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`Password must match one or more defined regular expression patterns.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Expire password`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The number of days the password is valid. When the number of days has expired, the user must change their password.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Not recently used`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`Password cannot be already used by the user. {project_name} stores a history of used passwords. The number of old passwords stored is configurable in {project_name}.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Password blacklist`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`Password must not be in a blacklist file.`

			`* Blacklist files are UTF-8 plain-text files with Unix line endings. Every line represents a blacklisted password.`
			`* {project_name} compares passwords in a case-insensitive manner. All passwords in the blacklist must be lowercase.`
Revise password blacklist documentation Closes #19279 Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Andy Munro <amunro@redhat.com> 2023-01-09 13:47:26 +00:00			* The value of the blacklist file must be the name of the blacklist file, for example, `100k_passwords.txt`.
			* Blacklist files resolve against `+${kc.home.dir}/data/password-blacklists/+` by default. Customize this path using:
			** The `keycloak.password.blacklists.path` system property.
			** The `blacklistsPath` property of the `passwordBlacklist` policy SPI configuration. To configure the blacklist folder using the CLI, use `--spi-password-policy-password-blacklist-blacklists-path=/path/to/blacklistsFolder`.

			`.A note about False Positives`

			`The current implementation uses a BloomFilter for fast and memory efficient containment checks, such as whether a given password is contained in a blacklist, with the possibility for false positives.`

			* By default a false positive probability of `0.01%` is used.
			* To change the false positive probability by CLI configuration, use `--spi-password-policy-password-blacklist-false-positive-probability=0.00001`