Passwords (Kerberos and LDAP)

All accounts have two different passwords associated with them: Kerberos and LDAP. Their usage is explained in the table below. In general, services which grant full filesystem access require your Kerberos password. Other services use LDAP. You should pick different, secure passwords for each.

What is it used for?
  • Logging into Linux
  • Logging into Windows
  • Accessing CIFS
  • Unlocking a locked screen
  • Obtaining Kerberos tickets with kinit
  • Email services (IMAP, POP, SMTPS, and webmail)
  • Department wikis
  • OpenVPN
  • Postgres database
  • Printing (e.g. lprm command)
  • Jabber IM server
How do you change it? /local/bin/kpasswd /local/bin/ldappasswd

Initial Passwords

All new users are assigned a random Kerberos password which is given to the user when their account is created. New users should use this password to log in for the first time and then immediately change it using the directions below.

New users start out with no LDAP password, which means they can't log into services using LDAP. To set an initial LDAP password, follow the password changing instructions below.

Changing a Password

To change your Kerberos or LDAP password, log into a Linux system, open a shell prompt, and run the command listed in the table above.

To change either password you need to know your current Kerberos password. You do not need to know your current LDAP password to change your LDAP password.


Your LDAP password is used for a great number of services, including email. If you have it saved in any of your applications (such as your mail client) and you change it, you will need to reconfigure your applications to remember your new password.

Forgotten Password


Please visit the User Services Coordinator in room 571 during business hours, locate a SPOC after hours, or email problem to arrange an appointment. You will normally need to present your Brown ID to have your password reset.


Simply run the /local/bin/ldappasswd command as described above. You don't need to know your current LDAP password to change it.

Password Requirements

We do our best to follow the CIS password policy. Therefore, we need to enforce the following requirements on Kerberos and LDAP passwords:

  • Passwords must contain at least three character classes. Character classes include lowercase letters, uppercase letters, digits, and punctuation.
  • Passwords must not be broken by our password cracker. Simple passwords, such as dictionary words, will fail this test, but most complex passwords should be fine.
  • Your password cannot be the same as any of your previous 10 passwords.
  • After changing your password, you must wait a day before changing it again.

    Why Two Passwords?

    For security. Although a compromise of either password would be bad, a compromise of your Kerberos password would be worse, since it would allow an attacker to log in and access the filesystem. Also, note that your LDAP password is likely to be entered over the web and possibly saved by your email client, making it inherently more vulnerable than your Kerberos password.

    Legacy Passwords

    The following passwords are no longer used. Services which previously used the old password now use the password indicated.

    Legacy passwordReplaced by
    Windows passwordKerberos password
    NIS passwordKerberos password
    SSL passwordLDAP password
    PPTP passwordN/A (PPTP is retired)