Options for enforcing password policies

Russ Allbery rra at stanford.edu
Wed May 22 13:15:51 EDT 2013

Dagobert Michelsen <dam at opencsw.org> writes:
> Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" <jwedgeco at uncc.edu>:

>> * passwords may not contain certain characters, like unicode or some
>> ACSII characters

> To my knowledge this is not possible, but I also don't see a reason to
> limit it.

If users try to use Unicode characters, they potentially get into Unicode
normalization problems, which can leave them unable to type their password
in the form that the Kerberos KDC expects it even if the password they're
typing looks the same on their entry device.  I don't think Kerberos has
defined a standard normalization that would affect the kpasswd /
string-to-key layer yet, although some protocols that can use Kerberos for
password verification define a normalization at a higher level.

Some control characters can create problems because they can be entered on
some devices and not on others.

In both cases, this is a user support issue.  There's no real security
issue from choosing such passwords, but the user may be unable to enter it
again later, which prompts calls to the Help Desk, help in resetting
passwords, etc.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list