STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must not display passwords/PINs as clear text.

DISA Rule

SV-222554r508029_rule

Vulnerability Number

V-222554

Group Title

SRG-APP-000178

Rule Version

APSC-DV-001850

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the application to obfuscate passwords and PINs when they are being entered so they cannot be read.

Design the application so obfuscated passwords cannot be copied and then pasted as clear text.

Check Contents

Ask the application admin to log on to the application.

Observe the authentication process and verify any display feedback provided when the admin enters her/his password is obfuscated and not clear text.

For applications that display authentication feedback for a very limited time, ensure the feedback time the character is displayed is only momentary i.e., fractions of a second.

Using a text editor, copy the obfuscated password and paste to a text file. Do not save the file.

If the application displays clear text when the password/PIN is entered, or if the time period for displayed feedback exceeds fractions of a second, or if the clear text password/PIN is displayed when pasted, this is a finding.

Vulnerability Number

V-222554

Documentable

False

Rule Version

APSC-DV-001850

Severity Override Guidance

Ask the application admin to log on to the application.

Observe the authentication process and verify any display feedback provided when the admin enters her/his password is obfuscated and not clear text.

For applications that display authentication feedback for a very limited time, ensure the feedback time the character is displayed is only momentary i.e., fractions of a second.

Using a text editor, copy the obfuscated password and paste to a text file. Do not save the file.

If the application displays clear text when the password/PIN is entered, or if the time period for displayed feedback exceeds fractions of a second, or if the clear text password/PIN is displayed when pasted, this is a finding.

Check Content Reference

M

Target Key

4093

Comments