[19839] in Kerberos_V5_Development
Re: Is there a valid case for an empty password?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Oct 12 02:10:43 2018
To: Weijun Wang <weijun.wang@oracle.com>, "krbdev@mit.edu" <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <b66b63c4-3367-b4ee-1c32-a5b83fa44bc2@mit.edu>
Date: Fri, 12 Oct 2018 02:10:29 -0400
MIME-Version: 1.0
In-Reply-To: <28177C8B-210D-4FD2-9A1A-226D7D827591@oracle.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 10/11/2018 11:19 PM, Weijun Wang wrote:
> We are planning to disallow empty passwords for PBKDF2 in JDK. However, some years ago I did receive a bug report to support empty passwords on Windows 200x. Is it really a valid password?
RFC 3961 says (about string-to-key) "all valid UTF-8 strings should be
allowed" and doesn't say anything about a minimum length.
MIT krb5 had a bug where empty passwords wouldn't work via the API (but
would work via the prompter). We fixed it in 1.12:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7642
The fix was prompted by Fedora bug reports such as:
https://bugzilla.redhat.com/show_bug.cgi?id=960001
Of course there is basically no security value to a key derived from an
empty password. But I guess there have been some use cases anyway.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
