Is there a valid case for an empty password?
Robbie Harwood
rharwood at redhat.com
Fri Oct 12 13:05:56 EDT 2018
Greg Hudson <ghudson at mit.edu> writes:
> On 10/11/2018 11:19 PM, Weijun Wang wrote:
>
>> We are planning to disallow empty passwords for PBKDF2 in
>> JDK. However, some years ago I did receive a bug report to support
>> empty passwords on Windows 200x. Is it really a valid password?
>
> RFC 3961 says (about string-to-key) "all valid UTF-8 strings should be
> allowed" and doesn't say anything about a minimum length.
>
> MIT krb5 had a bug where empty passwords wouldn't work via the API
> (but would work via the prompter). We fixed it in 1.12:
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7642
>
> The fix was prompted by Fedora bug reports such as:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=960001
>
> Of course there is basically no security value to a key derived from
> an empty password. But I guess there have been some use cases anyway.
That bug was for a contrived test, so it's not much of a use case on its
own. In practice IPA will prohibit empty strings (and other weaker
passwords) in policy so I don't think we're particularly concerned about
having it work.
That said, I think your reading of 3961 is correct.
Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20181012/ee89c9bd/attachment.bin
More information about the krbdev
mailing list