adminblankpw, accountblankpw

Vulnerability Description

Brief description: Windows NT user or administrator has password the same as login name

Full description: A Windows NT user or administrator has a password the same as the login name. This makes password guessing trivial.

Components: authentication system

Systems: Windows NT

Effect(s) of exploiting: The attacker gets the privileges of the user.

Detecting the hole:

    1. Use an auditing tool to check user passwords.

Fixing the hole:

    1. Configure Windows NT to enforce a password policy that disallows such passwords.

Other information:

Keywords

password

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CAN-1999-0535 -- A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.

Exploit Information

Attack:

Related Information

Advisories: CERT Windows NT Configuration Guidelines section V, Passwords; Microsoft's password filter passfilt.dll , available from the Platform SDK for Windows NT 4.0 SP 4.0 and later .

Related Vulnerabilities:

Reportage

Reporting: in ( )

Revision Number 1

  1. Patrick LeBlanc (6/29/2000):