pkinit and passwords issues

Jeffrey Altman jaltman at
Tue Feb 16 07:35:44 EST 2010

On 2/16/2010 5:20 AM, Sam Hartman wrote:
>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at> writes:
>     >> 2) There is no valid password.  In which, the password should not
>     >> be set to expire.
>     Jeffrey> Setting a random password and setting it to never expire
>     Jeffrey> results in there being a password that can be brute forced
>     Jeffrey> over a long period of time and used as a backdoor.  It
>     Jeffrey> would be much better if a property on the principal simply
>     Jeffrey> indicated "no password authentication permitted" and be
>     Jeffrey> done with it.
> Jeff, I completely agree with you that such a property would be
> desirable.  we don't currently have it.  I definitely think it would be
> a step forward.
> I'm not really convinced that the brute force concern is valid for AES,
> 3DES or RC4.  I agree it is a significant concern for DES.
> --Sam

RC4 or AES only provides additional strength against attacks that assume
all passwords are of
equal strength.  Studies by Google and others of the passwords selected
by their user base show
that the vast majority of users select passwords out of a very small
subset of the possible values.
A brute force attack using dictionaries is (in my opinion) a very real
concern regardless of the

Jeffrey Altman

More information about the krbdev mailing list