STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:SV-222542r508029_rule
V-222542
SRG-APP-000171
APSC-DV-001740
CAT I
10
Use strong cryptographic hash functions when creating password hash values.
Utilize random salt values when creating the password hash.
Ensure strong access control permissions on data files containing authentication data.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.
If the application does not use passwords, the requirement is not applicable.
Have the application administrator identify the application's password storage locations. Potential locations include the local file system where the application is stored or in an application-related database table that should not be accessible to application users.
Review application files and folders using a text editor or by using a database tool that allows you to view data stored in database tables. Look for indications of stored user information and review that information. Determine if password strings are readable/discernable.
Determine if the application uses the MD5 hashing algorithm to create password hashes.
If the passwords are readable or there is no indication the application utilizes cryptographic hashing to protect passwords, or if the MD5 hash algorithm is used to create password hashes, this is a finding.
V-222542
False
APSC-DV-001740
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.
If the application does not use passwords, the requirement is not applicable.
Have the application administrator identify the application's password storage locations. Potential locations include the local file system where the application is stored or in an application-related database table that should not be accessible to application users.
Review application files and folders using a text editor or by using a database tool that allows you to view data stored in database tables. Look for indications of stored user information and review that information. Determine if password strings are readable/discernable.
Determine if the application uses the MD5 hashing algorithm to create password hashes.
If the passwords are readable or there is no indication the application utilizes cryptographic hashing to protect passwords, or if the MD5 hash algorithm is used to create password hashes, this is a finding.
M
4093