Passwords are displayed in clear text when logging onto a VTU.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17688	RTS-VTC 2022.00	SV-18862r2_rule	DCBP-1 ECSC-1 IAIA-1 IAIA-2	Medium

Description
As any information is entered on a keyboard, the keyboard sends each keystroke to the processing unit which, typically, echoes the character represented by the keystroke to the display device as feedback to the system’s user. Such echoing is done in what is called “clear text” in that you can read what was entered. This process is used for normal typing, but must be changed when entering passwords. When passwords are displayed (echoed) during logon, the risk of password compromise is increased and password confidentiality is greatly reduced. If the password is displayed during logon, it can easily be compromised through the use of a simple technique of shoulder surfing, i.e., a third party witnessing the logon could view the echoed password and remember it or write it down. This could also happen through surveillance methods. This presents a major vulnerability to the security or confidential nature of the password. To mitigate this, when entering a password, the characters that are echoed to the display must be something other than the clear text characters. Typically an asterisk or other punctuation character is used to replace the actual characters in an echoed password. The prevention of shoulder surfing is in support of DoDI 8500.2 IA control IAIA-1’s requirement to protect passwords from disclosure.

Description

As any information is entered on a keyboard, the keyboard sends each keystroke to the processing unit which, typically, echoes the character represented by the keystroke to the display device as feedback to the system’s user. Such echoing is done in what is called “clear text” in that you can read what was entered. This process is used for normal typing, but must be changed when entering passwords. When passwords are displayed (echoed) during logon, the risk of password compromise is increased and password confidentiality is greatly reduced. If the password is displayed during logon, it can easily be compromised through the use of a simple technique of shoulder surfing, i.e., a third party witnessing the logon could view the echoed password and remember it or write it down. This could also happen through surveillance methods. This presents a major vulnerability to the security or confidential nature of the password. To mitigate this, when entering a password, the characters that are echoed to the display must be something other than the clear text characters. Typically an asterisk or other punctuation character is used to replace the actual characters in an echoed password. The prevention of shoulder surfing is in support of DoDI 8500.2 IA control IAIA-1’s requirement to protect passwords from disclosure.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18958r5_chk )
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure users’ or administrators’ passwords are not displayed in the clear (i.e., echo a single alternate symbol instead of the actual characters used as they are entered) when logging onto a VTU locally or remotely. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. Have the IAO or SA demonstrate logging onto the VTU via local and remote access methods. Look for passwords that are displayed in the clear.

Check Text ( C-18958r5_chk )

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure users’ or administrators’ passwords are not displayed in the clear (i.e., echo a single alternate symbol instead of the actual characters used as they are entered) when logging onto a VTU locally or remotely.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU.

Have the IAO or SA demonstrate logging onto the VTU via local and remote access methods. Look for passwords that are displayed in the clear.

Fix Text (F-17585r1_fix)
[IP][ISDN]; Perform the following tasks: Implement VTUs that do not display password in the clear when logging in via any interface. If existing devices do not support this behavior, upgrade as soon as possible.