UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application stores account passwords in an approved encrypted format.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16797 APP3340 SV-17797r1_rule IAIA-1 IAIA-2 High
Description
Passwords stored without encryption or with weak, unapproved, encryption can easily be read and unencrypted. These passwords can then be used for immediate access to the application.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17793r1_chk )
With respect to identification and authentication information, only administrators and the application or OS process that access the information should have any permissions to these files. In many cases, local backups of the accounts database exist so these must be included in the scope of the review.

Authentication credentials such as passwords are required to be encrypted. Check the configuration of the application software to determine if encryption settings have been activated for the relevant data.

1) If these encryption settings have not been turned on, this is a CAT II finding.

If the data encryption functionality is not configurable and the identification and authentication information is stored in ASCII or another readable format, examine the actual data to determine if they are in clear text.

2) If the authentication data is readable, this is a CAT I finding.

Record findings, regardless of whether or not the vulnerability has been captured in another SRR. For example, any weakness in OS authentication scheme that the application leverages applies both to the OS and the application.
Fix Text (F-17024r1_fix)
Store passwords in an approved encrypted format.