CVE
- Id
- 532
- CVE No.
- CVE-1999-0535
- Status
- Candidate
- Description
- A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.
- Phase
- Proposed (19990721)
- Votes
- ACCEPT(2) Shostack, Wall | MODIFY(2) Baker, Frech | RECAST(2) Northcutt, Ozancin
- Comments
- Northcutt> inappropriate implies there is appropriate. As a guy who has been | monitoring | networks for years I have deep reservations about justiying the existance | of any fixed cleartext password. For appropriate to exist, some "we" would | have to establish some criteria for appropriate passwords. | Baker> Perhaps this could be re-worded a bit. The CVE CVE-1999-00582 | specifies "...settings for lockouts". To remain consistent with the | other, maybe it should specify "...settings for passwords" I think | most people would agree that passwords should be at least 8 | characters; contain letters (upper and lowercase), numbers and at | least one non-alphanumeric; should only be good a limited time 30-90 | days; and should not contain character combinations from user"s prior | 2 or 3 passwords. | Suggested rewrite - | A Windows NT account policy does not enforce reasonable minimum | security-critical settings for passwords, e.g. passwords of sufficient | length, periodic required password changes, or new password uniqueness | Ozancin> What is appropriate? | Frech> XF:nt-autologonpwd | XF:nt-pwlen | XF:nt-maxage | XF:nt-minage | XF:nt-pw-history | XF:nt-user-pwnoexpire | XF:nt-unknown-pwdfilter | XF:nt-pwd-never-expire | XF:nt-pwd-nochange | XF:nt-pwdcache-enable | XF:nt-guest-change-passwords
