Password set/change error reporting

Paul W. Nelson nelson at
Fri Apr 4 13:20:46 EST 2003

Just would like to get some feedback on this idea to see if it is

Currently, the version 2 draft proposes a single error code to handle policy

>      KRB5_KPASSWD_POLICY_REJECT      8 new cleartext password fails
>                                        policy; the result string
>                                        should include a text
>                                        message to be presented to
>                                        the user.
Returning a string (current method) is OK, but makes it very difficult for
writing internationalized/localized software.  The person changing the
password might be using Japanese as their language, and the kdc/kpasswd
server might be serving a multi-lingual community.

I would like to see the version 2 draft specify extended error codes that
enumerate common reasons for a password change failing.  Here are some of
the codes I would like to see:
    a) Password too short
    b) Password not complex enough
    c) Password cant be changed yet (too soon)
    d) Password was used previously

The string is better than nothing (although the Microsoft Server 2003 never
returns one when there is a policy error), and should still be returned,
being useful when the policy error doesn't fall into a well-known type.

BTW:  What is the status of this draft?  It looks like it has expired.
Paul W. Nelson
Thursby Software Systems, Inc.

More information about the krbdev mailing list