Hadoop-common is vulnerable to brute-force attacks due to insecure token passwords. When Kerberos security features are enabled, token passwords are generated using only a 20-bit secret. Leveraging this flaw, attacker can easily crack secret keys using a brute-force attack.