UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The mobile operating system must encrypt passwords stored on the mobile device.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33000 SRG-OS-000073-MOS-000048 SV-43398r2_rule Medium
Description
Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. If an adversary obtains a password, the adversary can use it to compromise sensitive information. Encrypting passwords stored on the device mitigates the risk that the passwords will be compromised. Encryption methodologies such as secure hashing are suitable for DoD password encryption and are compliant with FIPS 140-2 security requirements. Super user access is typically required to access the password database. If a system administrator is able to obtain this level of privilege on the device, have the system administrator display the contents of the password database, often a simple file.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41297r1_chk )
Verify the mobile operating system configuration enforces the passwords contained in the database are encrypted. If the passwords stored on the device are not encrypted, this is a finding.
Fix Text (F-36912r1_fix)
Configure the mobile operating system to encrypt passwords stored on the mobile device.