|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
On Wed, Jul 14, 1999 at 04:24:51PM -0400, Steven M. Christey wrote: | Password Selection Content Decisions | ************************************ | | The following content decisions were applied to configuration problems | related to "password selection" in the draft CVE. NOTE: this does | *not* include "password policy" problems such as aging or length, | which will be dealt with later. | | 1) Two Fundamental Password Selection Problems | - Default, null, or missing password | - Guessable password | - implications: | - need to enumerate two separate password problems for each | configuration (see other content decisions below) | - arguably default should be separated, but if so, this | increases number of password selection entries in the CVE | by 50% | | 2) Default Passwords are High Cardinality | - therefore we don't discriminate between different default | passwords (see content decisions paper which discusses high | cardinality) | - implications: | - the sysadmin perspective probably argues that we separate these So, when there is a secret default password, thats already covered under an existing CVE? Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you in. Similarly, the Sun "all private" snmp community. Do these get rated as default passwords? (I'm happy with a yes, but its a suprising decision) Adam
|
||||
