1. Ports
  2. Port 586

Port 586: Password Change — The Door That Never Opened

Port 586 sits in the well-known range with an official assignment from IANA: password change services. But if you scan networks looking for activity on this port, you'll mostly find silence.

What Port 586 Was Meant For

The Internet Assigned Numbers Authority assigned port 586 to "passwordchg"—a protocol for securely changing user passwords across a network.1 Both TCP and UDP on port 586 were reserved for this purpose.

The idea was straightforward: systems needed a standardized way to handle password changes remotely. Port 586 was supposed to be that door.

What Actually Happened

The world moved on. Password change functionality—particularly in Kerberos environments—standardized on port 464 instead.2 RFC 3244 specifies the Kerberos change password and set password protocols, and they operate on port 464, not 586.3

Port 586 received its official assignment, but the traffic never really materialized. The protocol it was meant to serve found a better home elsewhere.

Why This Matters

Port 586 demonstrates something important about the port system: official assignment doesn't guarantee adoption.

IANA can reserve a port number and publish it in the registry. But whether that port actually gets used depends on whether implementers choose to build software that operates on it. In this case, they didn't.

The well-known ports range (0-1023) was meant to provide stable, predictable locations for important services. Port 586 has the stability and the assignment, but not the adoption. It's a door that was built and labeled but rarely opened.

What Might Be Listening

On most networks, port 586 will be closed or unresponsive. But you might occasionally encounter:

  • Legacy systems that implemented the original passwordchg protocol before the shift to port 464
  • Custom applications that repurposed the port for internal password management systems
  • Security research tools scanning or testing the port

To check what's listening on port 586 on your system:

# Linux/macOS - Check for listeners
sudo lsof -i :586
sudo netstat -tlnp | grep :586

# Windows - Check for listeners  
netstat -ano | findstr :586

Most of the time, you'll find nothing.

The Forgotten Assignment

There's a category of ports that exists between "actively used" and "completely unassigned"—ports that were assigned with good intentions but never found their purpose. Port 586 lives in that space.

It wasn't a failure exactly. The need for password change protocols was real. The assignment was legitimate. The functionality exists—just on a different port.

Port 586 is what happens when the protocol specification and the implementation community don't align. The port number was claimed, documented, and published. But the community building the actual software chose a different path.

Now it remains in the registry, officially assigned, technically available, and largely unused. A door in the Internet's nervous system that was built but rarely opened—waiting for traffic that mostly never comes.

Related Ports

  • Port 464 — Where Kerberos password changes actually happen
  • Port 106 — 3COM TSMUX, another rarely-used well-known port
  • Port 512-514 — Berkeley r-commands (rexec, rlogin, rsh) that were also largely abandoned

Sebelumnya

Port 585: IMAP4-SSL (Deprecated) — The ghost port that email clients won't forget

Selanjutnya

Port 588: CAL — The assigned but forgotten

Apakah halaman ini membantu?

😔
🤨
😃