UCF STIG Viewer Logo

The application server must encrypt stored passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35317 SRG-APP-000171-AS-000119 SV-46604r1_rule High
Description
Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS is responsible for creating or storing passwords, the AS must enforce the use of encryption when those passwords are stored.
STIG Date
Application Server Security Requirements Guide 2013-01-08

Details

Check Text ( C-43687r1_chk )
Review AS documentation and configuration to determine if the AS enforces the requirement to encrypt passwords when they are stored. If the AS is not configured to meet this requirement, this is a finding.
Fix Text (F-39863r1_fix)
Configure the AS to encrypt passwords for storage.