Navigate

Check: SRG-OS-000073-GPOS-00041

General Purpose Operating System SRG: SRG-OS-000073-GPOS-00041 (in versions v3 r2 through v1 r6)

Title

The operating system must store only encrypted representations of passwords. (Cat I impact)

Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Check Content

Verify the operating system stores only encrypted representations of passwords. If it does not, this is a finding.

Fix Text

Configure the operating system to store only encrypted representations of passwords.

Additional Identifiers

Rule ID: SV-203629r982199_rule

Vulnerability ID: V-203629

Group Title: SRG-OS-000073

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000196	The information system, for password-based authentication, stores only cryptographically-protected passwords.
CCI-004062	For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5(1)	Password-based Authentication