UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IAO will ensure passwords generated for users are not predictable and comply with the organization's password policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16848 APP6220 SV-17848r1_rule IAIA-1 IAIA-2 High
Description
Predictable passwords may allow an attacker to gain immediate access to new user accounts which would result in a loss of integrity. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.
STIG Date
Application Security and Development STIG 2014-04-03

Details

Check Text ( C-17861r1_chk )
Ask the application representative to examine the organization's password policy.

1) If non-human/service accounts are used and are not included in the password policy, it is a finding.

2) If non-human/service accounts policy does not require these accounts to change yearly or when someone with access to the password leaves the duty assignment, it is a finding.

The configuration interface may not reveal information related to all the required elements. If this is the case, attempt to violate each element to determine if the policy is enforced. For example, attempt to change a password to one that does not meet the requirements.

3) If there are any shortcomings in the password policy or the configured behavior of any user account, it is a finding.

The finding details should note which user accounts are impacted, which of the password parameters are deficient, the current values of these parameters, and the relevant required values.

Also, ask the application representative to generate two user account passwords.

4) If there is a recognizable pattern in password generation, it is a finding.
Fix Text (F-17170r1_fix)
Generate passwords to comply with the organization's password policy.