Password = username (Windows)

Module: Password Strength

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check iterates through all user accounts and reports when a password and username are identical. The check is not as rigorous as "Password = any username" and is provided for systems with a large number of user accounts. If an audit using "Password = any username" takes too long or is too CPU intensive, you might want to use this check on a daily basis, and "Password = any username" on the weekends. This check is currently not supported on Itanium based and 64-bit server systems.

The following table lists the error messages for the check.

Table: Error messages for Password = username

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_GUESSPASS

Category: Policy Compliance

  • Windows 2000 (105337)

  • Windows 2003 (205337)

  • Windows 2008 (248337)

  • Windows Vista (228337)

  • Windows XP (200337)

Title: Guessed user password

Description:Symantec ESM guessed the account password. An intruder can also guess this password while trying to break into your system. Immediately assign a secure password to this account. Instruct the user to log on using the secure password and then to change the password again. A secure password should have six to eight characters with at least one non-alphabetic character. A secure password should not match an account or host name, and should not be found in any dictionary.

Severity: red-4

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESM_DISABLED_GUESSPASS

Category: Policy Compliance

  • Windows 2000 (105342)

  • Windows 2003 (205342)

  • Windows 2008 (248342)

  • Windows Vista (228342)

  • Windows XP (200342)

Title: Guessed user password on disabled account

Description:Symantec ESM guessed the password of this disabled account. This can be a security problem if the account is re-activated. Assign a secure password to this account or remove it. A secure password should have six to eight characters with at least one non-alphabetic character. A secure password should not match an account or host name, and should not be found in any dictionary.

Severity: green-0

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

[an error occurred while processing this directive]