[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CONTENT DECISION: Content Decisions for "Password Selection" problems
Password Selection Content Decisions ************************************ The following content decisions were applied to configuration problems related to "password selection" in the draft CVE. NOTE: this does *not* include "password policy" problems such as aging or length, which will be dealt with later. 1) Two Fundamental Password Selection Problems - Default, null, or missing password - Guessable password - implications: - need to enumerate two separate password problems for each configuration (see other content decisions below) - arguably default should be separated, but if so, this increases number of password selection entries in the CVE by 50% 2) Default Passwords are High Cardinality - therefore we don't discriminate between different default passwords (see content decisions paper which discusses high cardinality) - implications: - the sysadmin perspective probably argues that we separate these See the PASS cluster for examples of these content decisions in action, in conjunction for the high-level configuration problem decisions. For example, "Unix account" vs. "NT account" vs. "router account" all have separate entries by the "Different Functionality, Different Configuration Problem" content decision; we further separate each one into "account password is guessable" and "account password is default, null, or missing" due to the "Two Fundamental Password Selection Problems" decision. But we don't discriminate between "Unix root password guessable" and "Unix nobody password guessable" because of the "Different Risk/Same Configuration Problem" decision, as well as the "Same Checkbox" decision.