Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16796 | APP3330 | SV-17796r1_rule | ECCT-1 | High |
Description |
---|
Passwords transmitted in clear text or with an unapproved format are vulnerable to network protocol analyzers. These passwords acquired with the network protocol analyzers can be used to immediately access the application. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-17792r1_chk ) |
---|
Ask the application representative to demonstrate that passwords are encrypted before they are transmitted. 1) If the application does not use passwords for identification and authentication, this check is not applicable. 2) If the application does not encrypt passwords before transmitting them, it is a finding. |
Fix Text (F-17023r1_fix) |
---|
Modify the application to encrypt all transmitted passwords. |