If cpw -keepold is used, the old keys will end up in a password history entry when the password is changed again. This causes the passwords to cycle out longer than they should. Reported here: http://mailman.mit.edu/pipermail/krbdev/2014-July/012084.html