+
+## Upgrading cryptographic strength
+
+You should change your root instance’s password with a command like this, to upgrade your key from critically weak DES encryption algorithm to strong AES encryption:
+
+ kadmin -p andersk/root -q 'cpw -e aes256-cts:normal -e aes128-cts:normal andersk/root'
+
+(Note: This might make your password incompatible with a [handful of services](http://debathena.mit.edu/trac/ticket/529) that you should not have been using with your root instance in the first place.) You can confirm the change with
+
+ kadmin -p andersk/root -q 'getprinc andersk/root'
+
+which should list a line like
+
+ Key: vno 4, aes256-cts-hmac-sha1-96, no salt
+
+If you change your password again, you will need to specify your desired enctypes with the -e option; otherwise, they will be reset to the defaults.