pkinit and passwords issues

Jeffrey Altman jaltman at
Tue Feb 16 07:43:53 EST 2010

On 2/16/2010 7:35 AM, Jeffrey Altman wrote:
> RC4 or AES only provides additional strength against attacks that assume
> all passwords are of
> equal strength.  Studies by Google and others of the passwords selected
> by their user base show
> that the vast majority of users select passwords out of a very small
> subset of the possible values.
> A brute force attack using dictionaries is (in my opinion) a very real
> concern regardless of the
> enctype.
> Jeffrey Altman
[sent too soon]

Which of course is not directly applicable to this case in which
randomly generated keys are
being used provided that the keys that are generated from the commonly
used password
lists are considered weak and excluded.

Jeffrey Altman

More information about the krbdev mailing list