Is there a valid case for an empty password?

Robbie Harwood rharwood at
Fri Oct 12 13:05:56 EDT 2018

Greg Hudson <ghudson at> writes:

> On 10/11/2018 11:19 PM, Weijun Wang wrote:
>> We are planning to disallow empty passwords for PBKDF2 in
>> JDK. However, some years ago I did receive a bug report to support
>> empty passwords on Windows 200x. Is it really a valid password?
> RFC 3961 says (about string-to-key) "all valid UTF-8 strings should be
> allowed" and doesn't say anything about a minimum length.
> MIT krb5 had a bug where empty passwords wouldn't work via the API
> (but would work via the prompter).  We fixed it in 1.12:
> The fix was prompted by Fedora bug reports such as:
> Of course there is basically no security value to a key derived from
> an empty password.  But I guess there have been some use cases anyway.

That bug was for a contrived test, so it's not much of a use case on its
own.  In practice IPA will prohibit empty strings (and other weaker
passwords) in policy so I don't think we're particularly concerned about
having it work.

That said, I think your reading of 3961 is correct.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url :

More information about the krbdev mailing list