Is there a valid case for an empty password?
Greg Hudson
ghudson at mit.edu
Fri Oct 12 02:10:29 EDT 2018
On 10/11/2018 11:19 PM, Weijun Wang wrote:
> We are planning to disallow empty passwords for PBKDF2 in JDK. However, some years ago I did receive a bug report to support empty passwords on Windows 200x. Is it really a valid password?
RFC 3961 says (about string-to-key) "all valid UTF-8 strings should be
allowed" and doesn't say anything about a minimum length.
MIT krb5 had a bug where empty passwords wouldn't work via the API (but
would work via the prompter). We fixed it in 1.12:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7642
The fix was prompted by Fedora bug reports such as:
https://bugzilla.redhat.com/show_bug.cgi?id=960001
Of course there is basically no security value to a key derived from an
empty password. But I guess there have been some use cases anyway.
More information about the krbdev
mailing list