2021-02-10 20:25:14 +00:00
2016-05-31 22:00:59 +00:00
[[_password-policies]]
2016-05-17 14:28:54 +00:00
2021-06-17 14:39:30 +00:00
=== Password policies
2016-05-17 14:28:54 +00:00
2021-02-10 20:25:14 +00:00
When {project_name} creates a realm, it does not associate password policies with the realm. You can set a simple password with no restrictions on its length, security, or complexity. Simple passwords are unacceptable in production environments. {project_name} has a set of password policies available through the Admin Console.
2016-05-17 14:28:54 +00:00
2021-02-10 20:25:14 +00:00
.Procedure
. Click *Authentication* in the menu.
2022-07-26 15:50:24 +00:00
ifeval::[{project_community}==true]
. Click the *Policies* tab.
endif::[]
ifeval::[{project_product}==true]
2021-02-10 20:25:14 +00:00
. Click the *Password Policy* tab.
2022-07-26 15:50:24 +00:00
endif::[]
2021-02-10 20:25:14 +00:00
. Select the policy to add in the *Add policy* drop-down box.
2022-07-26 15:50:24 +00:00
ifeval::[{project_community}==true]
. Enter a value that applies to the policy chosen.
endif::[]
ifeval::[{project_product}==true]
2021-02-10 20:25:14 +00:00
. Enter a value for the *Policy Value* corresponding with the policy chosen.
2022-07-26 15:50:24 +00:00
endif::[]
2021-02-10 20:25:14 +00:00
. Click *Save*.
+
2021-06-17 14:39:30 +00:00
Password policy
2021-02-10 20:25:14 +00:00
image:{project_images}/password-policy.png[Password Policy]
2016-05-17 14:28:54 +00:00
2021-02-10 20:25:14 +00:00
After saving the policy, {project_name} enforces the policy for new users and sets an Update Password action for existing users to ensure they change their password the next time they log in. For example:
2016-05-17 14:28:54 +00:00
2021-06-17 14:39:30 +00:00
.Failed password policy
2021-02-10 20:25:14 +00:00
image:{project_images}/failed-password-policy.png[Failed Password Policy]
2016-05-17 14:28:54 +00:00
2021-06-17 14:39:30 +00:00
==== Password policy types
2016-05-17 14:28:54 +00:00
2021-02-10 20:25:14 +00:00
ifeval::[{project_community}==true]
2016-05-17 14:28:54 +00:00
2021-02-10 20:25:14 +00:00
===== HashAlgorithm
2016-05-17 14:28:54 +00:00
2021-02-10 20:25:14 +00:00
Passwords are not stored in cleartext. Before storage or validation, {project_name} hashes passwords using standard hashing algorithms. PBKDF2 is the only built-in and default algorithm available. See the link:{developerguide_link}[{developerguide_name}] on how to add your own hashing algorithm.
[NOTE]
====
If you change the hashing algorithm, password hashes in storage will not change until the user logs in.
====
2016-05-17 14:28:54 +00:00
2017-08-28 12:50:14 +00:00
endif::[]
2021-02-10 20:25:14 +00:00
2017-08-28 12:50:14 +00:00
ifeval::[{project_product}==true]
2021-06-17 14:39:30 +00:00
===== Hashing algorithm
2021-02-10 20:25:14 +00:00
Passwords are not stored in clear text. Before storage or validation, {project_name} hashes passwords using standard hashing algorithms {project_name} that support the PBKDF2, PBKDF2-SHA256 and PBKDF-SHA512 hashing algorithms.
2017-08-28 12:50:14 +00:00
endif::[]
2021-02-10 20:25:14 +00:00
2021-06-17 14:39:30 +00:00
===== Hashing iterations
2021-02-10 20:25:14 +00:00
Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 27,500.
{project_name} hashes passwords to ensure that hostile actors with access to the password database cannot read passwords through reverse engineering.
[NOTE]
====
A high hashing iteration value can impact performance as it requires higher CPU power.
====
===== Digits
The number of numerical digits required in the password string.
2021-06-17 14:39:30 +00:00
===== Lowercase characters
2021-02-10 20:25:14 +00:00
The number of lower case letters required in the password string.
2021-06-17 14:39:30 +00:00
===== Uppercase characters
2021-02-10 20:25:14 +00:00
The number of upper case letters required in the password string.
2021-06-17 14:39:30 +00:00
===== Special characters
2021-02-10 20:25:14 +00:00
The number of special characters required in the password string.
2021-06-17 14:39:30 +00:00
===== Not username
2021-02-10 20:25:14 +00:00
The password cannot be the same as the username.
2021-06-17 14:39:30 +00:00
===== Not email
2021-02-10 20:25:14 +00:00
The password cannot be the same as the email address of the user.
2021-06-17 14:39:30 +00:00
===== Regular expression
2021-02-10 20:25:14 +00:00
Password must match one or more defined regular expression patterns.
2021-06-17 14:39:30 +00:00
===== Expire password
2021-02-10 20:25:14 +00:00
The number of days the password is valid. When the number of days has expired, the user must change their password.
2021-06-17 14:39:30 +00:00
===== Not recently used
2021-02-10 20:25:14 +00:00
Password cannot be already used by the user. {project_name} stores a history of used passwords. The number of old passwords stored is configurable in {project_name}.
2021-06-17 14:39:30 +00:00
===== Password blacklist
2021-02-10 20:25:14 +00:00
Password must not be in a blacklist file.
* Blacklist files are UTF-8 plain-text files with Unix line endings. Every line represents a blacklisted password.
* {project_name} compares passwords in a case-insensitive manner. All passwords in the blacklist must be lowercase.
* The value of the blacklist file must be the name of the blacklist file.
* Blacklist files resolve against `${jboss.server.data.dir}/password-blacklists/` by default. Customize this path using:
** The `keycloak.password.blacklists.path` property.
** The `blacklistsPath` property of the `passwordBlacklist` policy SPI configuration.