The application server must encrypt stored passwords.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35317	SRG-APP-000171-AS-000119	SV-46604r1_rule		High

Description
Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS is responsible for creating or storing passwords, the AS must enforce the use of encryption when those passwords are stored.

Description

Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS is responsible for creating or storing passwords, the AS must enforce the use of encryption when those passwords are stored.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43687r1_chk )
Review AS documentation and configuration to determine if the AS enforces the requirement to encrypt passwords when they are stored. If the AS is not configured to meet this requirement, this is a finding.

Fix Text (F-39863r1_fix)
Configure the AS to encrypt passwords for storage.