[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CONTENT DECISION: Content Decisions for "Password Selection" problems

Password Selection Content Decisions

The following content decisions were applied to configuration problems
related to "password selection" in the draft CVE.  NOTE: this does
*not* include "password policy" problems such as aging or length,
which will be dealt with later.

1) Two Fundamental Password Selection Problems
   - Default, null, or missing password
   - Guessable password
   - implications:
     - need to enumerate two separate password problems for each
       configuration (see other content decisions below)
     - arguably default should be separated, but if so, this
       increases number of password selection entries in the CVE
       by 50%

2) Default Passwords are High Cardinality
  - therefore we don't discriminate between different default
    passwords (see content decisions paper which discusses high
  - implications:
    - the sysadmin perspective probably argues that we separate these

See the PASS cluster for examples of these content decisions in
action, in conjunction for the high-level configuration problem

For example, "Unix account" vs. "NT account" vs. "router account" all
have separate entries by the "Different Functionality, Different
Configuration Problem" content decision; we further separate each one
into "account password is guessable" and "account password is default,
null, or missing" due to the "Two Fundamental Password Selection
Problems" decision.  But we don't discriminate between "Unix root
password guessable" and "Unix nobody password guessable" because of
the "Different Risk/Same Configuration Problem" decision, as well as
the "Same Checkbox" decision.

Page Last Updated or Reviewed: May 22, 2007