I would like to propose a new password policy for local user account : the minimum lifespan password.
The use case some customers asked is the ability to restrict the possibility for user to change their password multiple times and to get back their old password; bypassing the Not recently used password policy.
Thus it would be interesting to implement this additionnal policy to work along with the Not recently used policy.
The idea is to configure a minimum password lifespan with the following specification:
- Lifespan expressed in second with default to 86400
- Enable the password-history entry when this policy is enabled, the same way the HistoryPasswordPolicy trigger the creation of a password-history entry for the user.
- Disable password change only if the old password is not old enough and the there was not a password reset action
The idea has been proposed on keycloak-dev google group as well : https://groups.google.com/forum/#!topic/keycloak-dev/waDeZIWtCT4