The IAO will ensure passwords generated for users are not predictable and comply with the organization's password policy.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16848 | APP6220 | SV-17848r1_rule | IAIA-1 IAIA-2 | High |
| Description |
|---|
| Predictable passwords may allow an attacker to gain immediate access to new user accounts which would result in a loss of integrity. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17861r1_chk ) |
|---|
| Ask the application representative to examine the organization's password policy. 1) If non-human/service accounts are used and are not included in the password policy, it is a finding. 2) If non-human/service accounts policy does not require these accounts to change yearly or when someone with access to the password leaves the duty assignment, it is a finding. The configuration interface may not reveal information related to all the required elements. If this is the case, attempt to violate each element to determine if the policy is enforced. For example, attempt to change a password to one that does not meet the requirements. 3) If there are any shortcomings in the password policy or the configured behavior of any user account, it is a finding. The finding details should note which user accounts are impacted, which of the password parameters are deficient, the current values of these parameters, and the relevant required values. Also, ask the application representative to generate two user account passwords. 4) If there is a recognizable pattern in password generation, it is a finding. |
| Fix Text (F-17170r1_fix) |
|---|
| Generate passwords to comply with the organization's password policy. |