[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
On Wed, Jul 14, 1999 at 04:24:51PM -0400, Steven M. Christey wrote:
| Password Selection Content Decisions
| ************************************
|
| The following content decisions were applied to configuration problems
| related to "password selection" in the draft CVE. NOTE: this does
| *not* include "password policy" problems such as aging or length,
| which will be dealt with later.
|
| 1) Two Fundamental Password Selection Problems
| - Default, null, or missing password
| - Guessable password
| - implications:
| - need to enumerate two separate password problems for each
| configuration (see other content decisions below)
| - arguably default should be separated, but if so, this
| increases number of password selection entries in the CVE
| by 50%
|
| 2) Default Passwords are High Cardinality
| - therefore we don't discriminate between different default
| passwords (see content decisions paper which discusses high
| cardinality)
| - implications:
| - the sysadmin perspective probably argues that we separate these
So, when there is a secret default password, thats already covered
under an existing CVE?
Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you
in. Similarly, the Sun "all private" snmp community.
Do these get rated as default passwords? (I'm happy with a yes, but
its a suprising decision)
Adam