Title

User passwords can be retrieved and viewed in clear text by another user. (Cat II impact)

Discussion

Requirement: The IAO will ensure that users’ passwords are not displayed in the clear when logging into the system. Password integrity is non existent if passwords are stored or displayed in clear text. Many attacks on DOD computer systems are launched internally by unsatisfied or disgruntled employees. It is imperative that all DSN systems be configured to store passwords in encrypted format. This will ensure password integrity by other system users who have privileged system access.

Check Content

>TABLE OFCOPT; PASSWORD_ENCRYPTED =Y

Fix Text

Ensure that the DSN component is provisioned to store all passwords in an encrypted format.

Additional Identifiers

Rule ID: SV-8452r1_rule

Vulnerability ID: V-7966

Group Title: Passwords can be retrieved / viewed in clear text

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.