Is there a valid case for an empty password?

Greg Hudson ghudson at
Fri Oct 12 02:10:29 EDT 2018

On 10/11/2018 11:19 PM, Weijun Wang wrote:
> We are planning to disallow empty passwords for PBKDF2 in JDK. However, some years ago I did receive a bug report to support empty passwords on Windows 200x. Is it really a valid password?

RFC 3961 says (about string-to-key) "all valid UTF-8 strings should be 
allowed" and doesn't say anything about a minimum length.

MIT krb5 had a bug where empty passwords wouldn't work via the API (but 
would work via the prompter).  We fixed it in 1.12:

The fix was prompted by Fedora bug reports such as:

Of course there is basically no security value to a key derived from an 
empty password.  But I guess there have been some use cases anyway.

More information about the krbdev mailing list