Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6134 | APP6260 | SV-6134r1_rule | IAIA-1 | High |
Description |
---|
Default passwords can easily be compromised by attackers allowing immediate access to the applications. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-3052r1_chk ) |
---|
Run a password-cracking tool, if available, on a copy of each account database (there may be more than one in the application infrastructure). 1) If the password-cracking tool is able to crack the password of a privileged user, this is a CAT I finding. 2) If the password-cracking tool is able to crack the password of a non-privileged user, this is a CAT II finding. Manually attempt to authenticate with the published default password for that account, if such a default password exists. 3) If any privileged built-in account uses a default password – no matter how complex – this is a CAT I finding. 4) If a non-privileged account has a default password, this is a CAT II finding. |
Fix Text (F-4426r1_fix) |
---|
Change default passwords. |