CVE-ID

CVE-1999-0535

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (19990721)
Votes (Legacy)
ACCEPT(2) Shostack, Wall
MODIFY(2) Baker, Frech
RECAST(2) Northcutt, Ozancin
Comments (Legacy)
 Northcutt> inappropriate implies there is appropriate.  As a guy who has been
   monitoring
   networks for years I have deep reservations about justiying the existance
   of any fixed cleartext password. For appropriate to exist, some "we" would 
   have to establish some criteria for appropriate passwords.
 Baker> Perhaps this could be re-worded a bit.  The CVE CVE-1999-00582
   specifies "...settings for lockouts".  To remain consistent with the
   other, maybe it should specify "...settings for passwords" I think
   most people would agree that passwords should be at least 8
   characters; contain letters (upper and lowercase), numbers and at
   least one non-alphanumeric; should only be good a limited time 30-90
   days; and should not contain character combinations from user's prior
   2 or 3 passwords.
   Suggested rewrite - 
   A Windows NT account policy does not enforce reasonable minimum
   security-critical settings for passwords, e.g. passwords of sufficient
   length, periodic required password changes, or new password uniqueness
 Ozancin> What is appropriate?
 Frech> XF:nt-autologonpwd
   XF:nt-pwlen
   XF:nt-maxage
   XF:nt-minage
   XF:nt-pw-history
   XF:nt-user-pwnoexpire
   XF:nt-unknown-pwdfilter
   XF:nt-pwd-never-expire
   XF:nt-pwd-nochange
   XF:nt-pwdcache-enable
   XF:nt-guest-change-passwords

Proposed (Legacy)
19990721
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.