Keycloak Client Passwords are insecure by default

And the maintainers refuse to change that, responding with bureaucratic measures and general ignorance.

When you have an UUID string, example “192c1916-de80-4003-a01b-b2eaf97a1721” first of all those aren’t 128 bits.
You have a representation of those 128 bits and a very limited set of characters 0123456789abcdef, so you represent those 128 bits in only 16 characters of 256 possible, effectively reducing the bit-“strength” to 128/(256/16)=8 bits. And of course you know how many characters 8 bits are, exactly 1.

So now you have 32 characters that can only have the state of [0-9a-f] each. How long does it take to brute force 32 characters with 16 possible values per character?

Keycloak client passwords are insecure by default and that maybe be because of laziness, which I first assumed, stupidity, which is quite common or by design.

2 Replies to “Keycloak Client Passwords are insecure by default”

    1. This image doesn’t say how many distributed systems are working on this.
      Ok their blogs post says it’s 1 GPU only.
      Assume a government funded distributed system like the NSA operates. 1000s of computers.
      How secure is a 32-length password where 1 byte can have 16 possible values? (numbers only + 6)
      Not secure at all.
      That needs to change and that’s why I created this post, because they aren’t paying attention to it and not doing anything to change that.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.