Is there a valid case for an empty password?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Is there a valid case for an empty password?

Weijun Wang
We are planning to disallow empty passwords for PBKDF2 in JDK. However, some years ago I did receive a bug report to support empty passwords on Windows 200x. Is it really a valid password?

Thanks
Max


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Is there a valid case for an empty password?

Weijun Wang
I checked the history, sorry for blaming Windows. It was requested by an embedded server vendor.

> On Oct 12, 2018, at 11:19 AM, Weijun Wang <[hidden email]> wrote:
>
> We are planning to disallow empty passwords for PBKDF2 in JDK. However, some years ago I did receive a bug report to support empty passwords on Windows 200x. Is it really a valid password?
>
> Thanks
> Max
>


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Is there a valid case for an empty password?

Greg Hudson
In reply to this post by Weijun Wang
On 10/11/2018 11:19 PM, Weijun Wang wrote:
> We are planning to disallow empty passwords for PBKDF2 in JDK. However, some years ago I did receive a bug report to support empty passwords on Windows 200x. Is it really a valid password?

RFC 3961 says (about string-to-key) "all valid UTF-8 strings should be
allowed" and doesn't say anything about a minimum length.

MIT krb5 had a bug where empty passwords wouldn't work via the API (but
would work via the prompter).  We fixed it in 1.12:

     http://krbdev.mit.edu/rt/Ticket/Display.html?id=7642

The fix was prompted by Fedora bug reports such as:

     https://bugzilla.redhat.com/show_bug.cgi?id=960001

Of course there is basically no security value to a key derived from an
empty password.  But I guess there have been some use cases anyway.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Is there a valid case for an empty password?

Robbie Harwood
Greg Hudson <[hidden email]> writes:

> On 10/11/2018 11:19 PM, Weijun Wang wrote:
>
>> We are planning to disallow empty passwords for PBKDF2 in
>> JDK. However, some years ago I did receive a bug report to support
>> empty passwords on Windows 200x. Is it really a valid password?
>
> RFC 3961 says (about string-to-key) "all valid UTF-8 strings should be
> allowed" and doesn't say anything about a minimum length.
>
> MIT krb5 had a bug where empty passwords wouldn't work via the API
> (but would work via the prompter).  We fixed it in 1.12:
>
>      http://krbdev.mit.edu/rt/Ticket/Display.html?id=7642
>
> The fix was prompted by Fedora bug reports such as:
>
>      https://bugzilla.redhat.com/show_bug.cgi?id=960001
>
> Of course there is basically no security value to a key derived from
> an empty password.  But I guess there have been some use cases anyway.
That bug was for a contrived test, so it's not much of a use case on its
own.  In practice IPA will prohibit empty strings (and other weaker
passwords) in policy so I don't think we're particularly concerned about
having it work.

That said, I think your reading of 3961 is correct.

Thanks,
--Robbie

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (847 bytes) Download Attachment