About security
156 views
Skip to first unread message
Nurlan Məmmədov
Oct 23, 2022, 11:10:25 AM10/23/22
to Keycloak User
Hi,
I want to use Keycloak to store the credentials. An article on the internet confused me. What do you think about it?
Best regards,
Nurlan Mammadov
Michael Ströder
Oct 23, 2022, 12:29:19 PM10/23/22
to Keycloak User
On 10/23/22 17:10, Nurlan Məmmədov wrote:
> I want to use Keycloak to store the credentials. An article on the
> internet confused me. What do you think about it?
>
> https://systemweakness.com/cracking-user-passwords-stored-in-keycloak-with-hashcat-d56522cc2dc
This topic is complicated. And it's on-going effort to keep up with
> I want to use Keycloak to store the credentials. An article on the
> internet confused me. What do you think about it?
>
> https://systemweakness.com/cracking-user-passwords-stored-in-keycloak-with-hashcat-d56522cc2dc
increasing CPU power available for attackers.
Are you asking because of certain regulations relevant for your deployment?
Just focusing on password hashing you have to
- choose decent algorithms and
- select hard parameters (depending on the algorithm)
As the article above says Keycloak uses PBKDF2-SHA256 with certain
number of iterations. This algorithm is not bad but if you have concerns
you could e.g. choose a higher number of iterations.
There's also ARGON2 recommended as the strongest algorithm nowadays:
https://en.wikipedia.org/wiki/Argon2
But choosing ARGON2 parameters is somewhat tricky. Basically you're
trading performance for more security. I vaguely remember having seen a
3rd-party module for using ARGON2 in Keycloak.
But look again at the article you've cited: The biggest problem is that
so many users choose bad passwords. So you want to try enforce stronger
passwords or even better enforce using 2FA.
Ciao, Michael.
Niko Köbler
Oct 26, 2022, 4:38:47 PM10/26/22
to Keycloak User
Michael Ströder schrieb am Sonntag, 23. Oktober 2022 um 18:29:19 UTC+2:
But choosing ARGON2 parameters is somewhat tricky. Basically you're
trading performance for more security. I vaguely remember having seen a
3rd-party module for using ARGON2 in Keycloak.
I recently testet https://github.com/dreezey/argon2-password-hash-provider and it worked pretty well.
- Niko
Michael Ströder
Oct 27, 2022, 5:23:46 PM10/27/22
to Keycloak User
https://www.twelve21.io/how-to-choose-the-right-parameters-for-argon2/
https://argon2-cffi.readthedocs.io/en/stable/parameters.html
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
Python module argon2-cffi can also be used as CLI tool to play with the
parameters:
https://hynek.me/articles/storing-passwords/
Ciao, Michael.
Reply all
Reply to author
Forward
0 new messages