[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CONTENT DECISION: Content Decisions for "Password Selection" problems



On Wed, Jul 14, 1999 at 04:24:51PM -0400, Steven M. Christey wrote:
| Password Selection Content Decisions
| ************************************
| 
| The following content decisions were applied to configuration problems
| related to "password selection" in the draft CVE.  NOTE: this does
| *not* include "password policy" problems such as aging or length,
| which will be dealt with later.
| 
| 1) Two Fundamental Password Selection Problems
|    - Default, null, or missing password
|    - Guessable password
|    - implications:
|      - need to enumerate two separate password problems for each
|        configuration (see other content decisions below)
|      - arguably default should be separated, but if so, this
|        increases number of password selection entries in the CVE
|        by 50%
| 
| 2) Default Passwords are High Cardinality
|   - therefore we don't discriminate between different default
|     passwords (see content decisions paper which discusses high
|     cardinality)
|   - implications:
|     - the sysadmin perspective probably argues that we separate these

So, when there is a secret default password, thats already covered
under an existing CVE?

Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you 
in.  Similarly, the Sun "all private" snmp community.

Do these get rated as default passwords?  (I'm happy with a yes, but
its a suprising decision)

Adam

Page Last Updated or Reviewed: May 22, 2007