UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22304 GEN000595 SV-25951r1_rule DCNR-1 IAIA-1 IAIA-2 Medium
Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.
STIG Date
VMware ESX 3 Server 2016-05-13

Details

Check Text ( C-29095r1_chk )
Determine if any password hashes stored on the system were not generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Generally, a hash prefix of $5$ or $6$ indicates approved hashes. Consult OS documentation to determine the actual prefixes or other methods used by the OS to indicate approved hash algorithms.

Procedure:
# cut -d ':' -f2 /etc/passwd
# cut -d ':' -f2 /etc/shadow

If any password hashes are present not beginning with $5$ or $6$, or have other indications of the use of approved hash algorithms consistent with vendor documentation, this is a finding.
Fix Text (F-26094r1_fix)
Replace password hashes with those created using a FIPS 140-2 approved cryptographic hashing algorithm.