8. User IDs, especially root/administrator with no passwords or weak passwords.
Some systems come with "demo", "guest", or "maintenance" accounts that have weak, widely known, or no password protection. It is common for system administrators to assign users with simple passwords based on the requirement that the user must change the password to something stronger.
Effected Versions: All operating systems offering password based authentication are effected.
CVE Entry: CAN-1999-0501, CAN-1999-0502, CAN-1999-0503, CAN-1999-0504
Details: It is common to find accounts that have weak or no password protection. Tools are widely available to crack passwords on all operating systems.
Recommendations: It is very important to have password policies implemented. It is also a good idea to obtain written permission to use tools such as BindView HackerShield to test password strength. Setting passwords to expire periodically and enforcing password histories will also protect users from having their passwords cracked.
Additional Information:
http://www.cert.org/tech_tips/passwd_file_protection.html
http://www.cert.org/incident_notes/IN-98.03.html
http://www.cert.org/incident_notes/IN-90.01.irix.html
http://www.sans.org/topten.htm