User Account Policy Password Cannot Be Changed

1980-01-01T00:00:00
ID OSVDB:751
Type osvdb
Reporter OSVDB
Modified 1980-01-01T00:00:00

Description

Vulnerability Description

Some systems may have an account policy that does not allow a user to change their password. This may be due to poor configuration or even as a result of an overzealous security posture. User accounts that do not allow password changes may pose a higher risk to an organization. If such an account has the password compromised for whatever reason, the user is unable to change the password once the disclosure is discovered. This may give an attacker an increased window to login to the account before an administrator can change the password.

Solution Description

Administrators should maintain a strong user account policy which includes the ability for users to modify their own password. Such password changes should conform to a strong password policy. It is typically recommended that passwords are changed at least every 90 days.

Short Description

Some systems may have an account policy that does not allow a user to change their password. This may be due to poor configuration or even as a result of an overzealous security posture. User accounts that do not allow password changes may pose a higher risk to an organization. If such an account has the password compromised for whatever reason, the user is unable to change the password once the disclosure is discovered. This may give an attacker an increased window to login to the account before an administrator can change the password.

References:

Related OSVDB ID: 754 Related OSVDB ID: 752 Related OSVDB ID: 755 Nessus Plugin ID:10912