The mobile operating system must encrypt passwords stored on the mobile device.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33000 | SRG-OS-000073-MOS-000048 | SV-43398r2_rule | Medium |
| Description |
|---|
| Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. If an adversary obtains a password, the adversary can use it to compromise sensitive information. Encrypting passwords stored on the device mitigates the risk that the passwords will be compromised. Encryption methodologies such as secure hashing are suitable for DoD password encryption and are compliant with FIPS 140-2 security requirements. Super user access is typically required to access the password database. If a system administrator is able to obtain this level of privilege on the device, have the system administrator display the contents of the password database, often a simple file. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41297r1_chk ) |
|---|
| Verify the mobile operating system configuration enforces the passwords contained in the database are encrypted. If the passwords stored on the device are not encrypted, this is a finding. |
| Fix Text (F-36912r1_fix) |
|---|
| Configure the mobile operating system to encrypt passwords stored on the mobile device. |