Failed authentication attempts, lockouts and old passwords

Kenneth MacDonald Kenneth.MacDonald at
Tue Dec 16 10:31:55 EST 2014

I've been asked if it would be possible for the MIT krb5 KDC not to
increment the failed authentication count (and presumably the time) when
one of the older passwords was used.  I know such behaviour is not

The question arose because the MS Active Directory KDC can do this.
Quoting from ...


"Password history check (N-2): Before a Windows Server 2003 operating
system increments badPwdCount, it checks the invalid password against
the password history. If the password is the same as one of the last two
entries that are in the password history, badPwdCount is not incremented
for both NTLM and the Kerberos protocol. This change to domain
controllers should reduce the number of lockouts that occur because of
user error."

I'm wondering whether the old keys stored in the database are suitable
for attempting such a dummy authentication against.



The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the Kerberos mailing list