• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Windows 2000 Password Policy Bypass Vulnerability

Microsoft Windows 2000 allows administrators to set a password policy to enforce the usage of strong passwords. The administrator may specify how long a user's password is valid for and certain requirements for the type of password a user may choose.

When a user's password expires under such a policy, they are forced by Windows 2000 to change it. The policy may be set so that the new password must meet certain requirements to be valid. One of these requirements is that the password does not match one of the previous 18 passwords for that user.

However, it has been found that some aspects of the password policy may be subverted if a user changes their password before it expires and the system prompts them to do so. Specifically, the new password is not checked against the list of user's previous passwords. Under these circumstances, the new password must still meet other requirements of the password policy.

This issue may violate the password policy by allowing a user to recycle recently used passwords when the administrator has made efforts to restrict the user from doing so.