The designer will ensure the application stores account passwords in an approved encrypted format.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16797 | APP3340 | SV-17797r1_rule | IAIA-1 IAIA-2 | High |
| Description |
|---|
| Passwords stored without encryption or with weak, unapproved, encryption can easily be read and unencrypted. These passwords can then be used for immediate access to the application. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17793r1_chk ) |
|---|
| With respect to identification and authentication information, only administrators and the application or OS process that access the information should have any permissions to these files. In many cases, local backups of the accounts database exist so these must be included in the scope of the review. Authentication credentials such as passwords are required to be encrypted. Check the configuration of the application software to determine if encryption settings have been activated for the relevant data. 1) If these encryption settings have not been turned on, this is a CAT II finding. If the data encryption functionality is not configurable and the identification and authentication information is stored in ASCII or another readable format, examine the actual data to determine if they are in clear text. 2) If the authentication data is readable, this is a CAT I finding. Record findings, regardless of whether or not the vulnerability has been captured in another SRR. For example, any weakness in OS authentication scheme that the application leverages applies both to the OS and the application. |
| Fix Text (F-17024r1_fix) |
|---|
| Store passwords in an approved encrypted format. |