|
|
Info |
Last Modified |
| 4 months ago |
|
|
|
|
Description |
Some systems may have an account policy that does not allow a user to change their password. This may be due to poor configuration or even as a result of an overzealous security posture. User accounts that do not allow password changes may pose a higher risk to an organization. If such an account has the password compromised for whatever reason, the user is unable to change the password once the disclosure is discovered. This may give an attacker an increased window to login to the account before an administrator can change the password.
|
|
Classification |
Location:
Local Access Required,
Remote/Network Access Required
Attack Type:
Authentication Management
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Best Practice
|
|
Solution |
Administrators should maintain a strong user account policy which includes the ability for users to modify their own password. Such password changes should conform to a strong password policy. It is typically recommended that passwords are changed at least every 90 days.
|
|
Products |
|
All Products
 |
All Versions |
|
|
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
