STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (1) — Authenticator Management

CCI-000196

Definition

The information system, for password-based authentication, stores only cryptographically-protected passwords.

Parent Control

IA-5 (1)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (92)

V-279057CAT IIColdFusion must store only encrypted representations of passwords.Adobe ColdFusion Security Technical Implementation Guide V-222542CAT IThe application must only store cryptographic representations of passwords.Application Security and Development Security Technical Implementation Guide V-237321CAT IThe ArcGIS Server must use Windows authentication for supporting account management functions.ArcGIS for Server 10.3 Security Technical Implementation Guide V-256842CAT IICompliance Guardian must provide automated mechanisms for supporting account management functions.AvePoint Compliance Guardian Security Technical Implementation Guide V-219176CAT IIThe Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238234CAT IIIThe Ubuntu operating system must prohibit password reuse for a minimum of five generations.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260569CAT IIUbuntu 22.04 LTS must store only encrypted representations of passwords.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-220595CAT IThe Cisco switch must only store cryptographic representations of passwords.Cisco IOS Switch NDM Security Technical Implementation Guide V-215832CAT IThe Cisco router must only store cryptographic representations of passwords.Cisco IOS XE Router NDM Security Technical Implementation Guide V-261891CAT IIf passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.Crunchy Data Postgres 16 Security Technical Implementation Guide V-224167CAT IIf passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213597CAT IIf passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-217404CAT IIThe BIG-IP appliance must only store encrypted representations of passwords.F5 BIG-IP Device Management Security Technical Implementation Guide V-215174CAT IIf AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.IBM AIX 7.x Security Technical Implementation Guide V-215403CAT IThe AIX system must have no .netrc files on the system.IBM AIX 7.x Security Technical Implementation Guide V-250336CAT IThe WebSphere Liberty Server must store only encrypted representations of user passwords.IBM WebSphere Liberty Server Security Technical Implementation Guide V-237911CAT ICA VM:Secure product Password Encryption (PEF) option must be properly configured to store and transmit cryptographically-protected passwords.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-213530CAT IIThe JBoss Password Vault must be used for storing passwords or other sensitive configuration information.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-213531CAT IIJBoss KeyStore and Truststore passwords must not be stored in clear text.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-253910CAT IThe Juniper EX switch must be configured to only store cryptographic representations of passwords.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-242415CAT ISecrets in Kubernetes must not be stored as environment variables.Kubernetes Security Technical Implementation Guide V-253697CAT IIf passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220747CAT IReversible password encryption must be disabled.Microsoft Windows 10 Security Technical Implementation Guide V-220937CAT IThe system must be configured to prevent the storage of the LAN Manager hash of passwords.Microsoft Windows 10 Security Technical Implementation Guide V-253305CAT IReversible password encryption must be disabled.Microsoft Windows 11 Security Technical Implementation Guide V-253461CAT IThe system must be configured to prevent the storage of the LAN Manager hash of passwords.Microsoft Windows 11 Security Technical Implementation Guide V-224874CAT IWindows Server 2016 reversible password encryption must be disabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225053CAT IWindows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205653CAT IWindows Server 2019 reversible password encryption must be disabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205654CAT IWindows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254293CAT IWindows Server 2022 reversible password encryption must be disabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254474CAT IWindows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.Microsoft Windows Server 2022 Security Technical Implementation Guide V-221170CAT IIf passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252159CAT IIf passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265917CAT IIf passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-254217CAT INutanix AOS must store only encrypted representations of passwords.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-220290CAT IThe DBMS must support organizational requirements to enforce password encryption for storage.Oracle Database 12c Security Technical Implementation Guide V-270564CAT IOracle Database must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.Oracle Database 19c Security Technical Implementation Guide V-221677CAT IIThe Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.Oracle Linux 7 Security Technical Implementation Guide V-221678CAT IIThe Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.Oracle Linux 7 Security Technical Implementation Guide V-221680CAT IIThe Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.Oracle Linux 7 Security Technical Implementation Guide V-255902CAT IIThe Oracle Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.Oracle Linux 7 Security Technical Implementation Guide V-248533CAT IIOL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.Oracle Linux 8 Security Technical Implementation Guide V-248534CAT IIOL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.Oracle Linux 8 Security Technical Implementation Guide V-248535CAT IIThe OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.Oracle Linux 8 Security Technical Implementation Guide V-235138CAT IIIf passwords are used for authentication, the MySQL Database Server 8.0 must store only hashed, salted representations of passwords.Oracle MySQL 8.0 Security Technical Implementation Guide V-214130CAT IIf passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.PostgreSQL 9.x Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-254567CAT IIRancher RKE2 must store only cryptographic representations of passwords.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-204415CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204416CAT IIThe Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204417CAT IIThe Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-255928CAT IIThe Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230231CAT IIRHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230232CAT IIRHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230233CAT IIThe RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258099CAT IIRHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258100CAT IIRHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258116CAT IIRHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258117CAT IIRHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258231CAT IIRHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258233CAT IIRHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251223CAT IIIf passwords are used for authentication, Redis Enterprise DBMS must store only hashed, salted representations of passwords.Redis Enterprise 6.x Security Technical Implementation Guide V-261385CAT IISLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261391CAT ISLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261392CAT ISLEM 5 shadow password suite must be configured to use a sufficient number of hashing rounds.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217123CAT IIThe SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217124CAT IIThe SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217126CAT IIThe SUSE operating system must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-22304CAT IIThe password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-24384CAT IIIf the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-913CAT IIThere must be no .netrc files on the system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-216333CAT IISystems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.Solaris 11 SPARC Security Technical Implementation Guide V-216098CAT IISystems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.Solaris 11 X86 Security Technical Implementation Guide V-253064CAT IITOSS must store only encrypted representations of passwords.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-240298CAT IIThe vRA PostgreSQL database must use md5 for authentication.VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide V-239796CAT IIIf passwords are used for authentication, the vROps PostgreSQL DB must store only hashed, salted representations of passwords.VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide V-240398CAT IThe SLES for vRealize must store only encrypted representations of passwords.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-240399CAT IThe SLES for vRealize must store only encrypted representations of passwords.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239496CAT IThe SLES for vRealize must store only encrypted representations of passwords.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256502CAT IIThe Photon operating system must store only encrypted representations of passwords.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256585CAT IIThe Photon operating system must store only encrypted representations of passwords.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256600CAT IIThe vPostgres database must use "md5" for authentication.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-258818CAT IThe operating system must store only encrypted representations of passwords.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-259176CAT IThe vCenter PostgreSQL service must encrypt passwords for user authentication.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-73325CAT IWindows Server 2016 reversible password encryption must be disabled.Windows Server 2016 Security Technical Implementation Guide V-73325CAT IWindows Server 2016 reversible password encryption must be disabled.Windows Server 2016 Security Technical Implementation Guide V-73687CAT IWindows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.Windows Server 2016 Security Technical Implementation Guide V-73687CAT IWindows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.Windows Server 2016 Security Technical Implementation Guide V-93465CAT IWindows Server 2019 reversible password encryption must be disabled.Windows Server 2019 Security Technical Implementation Guide V-93467CAT IWindows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.Windows Server 2019 Security Technical Implementation Guide