Skip to main content

Advance Password Management

Page Background: In this document we would discuss the advance password management under the Password policies.

Keycloak doesn't link password policies to realms when it generates them. There are no limitations on the length, security, or complexity of your simple password. In production situations, simple passwords are unsuitable. Password policies for Keycloak are accessible through the Admin Console.

Log into KeyCloak Admin Console & Select your Realm:

To modify the password policies through the admin console log into KeyCloak Admin console using your KeyCloak user name and password.

Select your realm:

After login click on the “Authentication” menu in the left hand side, which would then display the following page: Then you need to click on the Password Policy Tab, you will be shown the following page.

Password Policy Types:

Under Add Policy Drop-down, You can select Hashing Iterations:

To prevent adversarial actors with access to the password database from reading passwords through decrypting, Keycloak hashes passwords. The default value is 27,500, but you can change that value as well.

Other Policy Types and their users

Policy TypeUses
##### Lowercase charactersBy this policy you define how many lowercase characters that must be included in the password string.
##### Uppercase charactersBy this policy you define how many uppercase characters that must be included in the password string.
##### Special charactersBy this policy you define how many special characters that must be included in the password string.
##### Not usernameBy this policy you define that the username and password cannot be the same.
##### Not emailBy this policy you define that the password cannot be the same as the email address of the user.
##### Regular expressionIn this policy you enter a regular expression and this policy states that the password must match with your given regular expression.
##### Expire passwordIn this policy you define, how long the password is good for. The user is required to modify their password whenever the specified number of days has passed.
##### Not recently usedIn this policy you define that the User have not used the password before. Since keycloak keeps track of passwords that have been used.