STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (1) — Authenticator Management

CCI-004062

Definition

For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

Parent Control

IA-5 (1)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (112)

V-204671CAT IFor password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash.AAA Services Security Requirements Guide V-274058CAT IAmazon Linux 2023 crypto policy must not be overridden.Amazon Linux 2023 Security Technical Implementation Guide V-274162CAT IIAmazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds.Amazon Linux 2023 Security Technical Implementation Guide V-274163CAT IIAmazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds.Amazon Linux 2023 Security Technical Implementation Guide V-268130CAT INixOS must store only encrypted representations of passwords.Anduril NixOS Security Technical Implementation Guide V-222542CAT IThe application must only store cryptographic representations of passwords.Application Security and Development Security Technical Implementation Guide V-204751CAT IIThe application server must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.Application Server Security Requirements Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-238234CAT IIIThe Ubuntu operating system must prohibit password reuse for a minimum of five generations.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260569CAT IIUbuntu 22.04 LTS must store only encrypted representations of passwords.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270725CAT IIUbuntu 24.04 LTS must store only encrypted representations of passwords.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206474CAT IFor accounts using password authentication, the Central Log Server must be configured to store only cryptographic representations of passwords.Central Log Server Security Requirements Guide V-215687CAT IThe Cisco router must only store cryptographic representations of passwords.Cisco IOS Router NDM Security Technical Implementation Guide V-220595CAT IThe Cisco switch must only store cryptographic representations of passwords.Cisco IOS Switch NDM Security Technical Implementation Guide V-215832CAT IThe Cisco router must only store cryptographic representations of passwords.Cisco IOS XE Router NDM Security Technical Implementation Guide V-220543CAT IThe Cisco switch must only store cryptographic representations of passwords.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-269398CAT IAlmaLinux OS 9 PAM must be configured to use a sufficient number of password hashing rounds.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269399CAT IAlmaLinux OS 9 must be configured so that libuser is configured to store only encrypted representations of passwords.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269400CAT IAlmaLinux OS 9 must be configured so that the system's shadow file is configured to store only encrypted representations of passwords.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269401CAT IAlmaLinux OS 9 must be configured so that the Pluggable Authentication Module is configured to store only encrypted representations of passwords.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269402CAT IAlmaLinux OS 9 must be configured so that interactive user account passwords are using strong password hashes.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233095CAT IIFor container platform using password authentication, the application must store only cryptographic representations of passwords.Container Platform Security Requirements Guide V-233596CAT IIf passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.Crunchy Data PostgreSQL Security Technical Implementation Guide V-206556CAT IThe DBMS must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.Database Security Requirements Guide V-263636CAT IIThe DNS server implementation must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.Domain Name System (DNS) Security Requirements Guide V-259985CAT IIFor accounts using password or PINs for authentication, the Enterprise Voice, Video, and Messaging Endpoint must store only cryptographic representations of passwords.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-260045CAT IIWhen using locally stored user accounts, the Enterprise Voice, Video, and Messaging Session Manager must store only cryptographic representations of passwords.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259247CAT IIf passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-203629CAT IThe operating system must store only encrypted representations of passwords.General Purpose Operating System Security Requirements Guide V-215174CAT IIf AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.IBM AIX 7.x Security Technical Implementation Guide V-215403CAT IThe AIX system must have no .netrc files on the system.IBM AIX 7.x Security Technical Implementation Guide V-250336CAT IThe WebSphere Liberty Server must store only encrypted representations of user passwords.IBM WebSphere Liberty Server Security Technical Implementation Guide V-223505CAT IACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.IBM z/OS ACF2 Security Technical Implementation Guide V-223729CAT INIST FIPS-validated cryptography must be used to protect passwords in the security database.IBM z/OS RACF Security Technical Implementation Guide V-257135CAT IIIBM Passtickets must be configured to be KeyEncrypted.IBM z/OS RACF Security Technical Implementation Guide V-223887CAT IIBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database.IBM z/OS TSS Security Technical Implementation Guide V-224780CAT IIThe Apache Tomcat Manager Web app password must be cryptographically hashed with a DOD-approved algorithm.ISEC7 Sphere Security Technical Implementation Guide V-241800CAT IIA unique database name and a unique MySQL user with a secure password must be created for use in Jamf Pro EMM.Jamf Pro v10.x EMM Security Technical Implementation Guide V-253910CAT IThe Juniper EX switch must be configured to only store cryptographic representations of passwords.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-242415CAT ISecrets in Kubernetes must not be stored as environment variables.Kubernetes Security Technical Implementation Guide V-274883CAT ISensitive information must be stored using Kubernetes Secrets or an external Secret store provider.Kubernetes Security Technical Implementation Guide V-205501CAT IIThe Mainframe Product must store only cryptographically protected passwords.Mainframe Product Security Requirements Guide V-253697CAT IIf passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.MariaDB Enterprise 10.x Security Technical Implementation Guide V-253305CAT IReversible password encryption must be disabled.Microsoft Windows 11 Security Technical Implementation Guide V-253461CAT IThe system must be configured to prevent the storage of the LAN Manager hash of passwords.Microsoft Windows 11 Security Technical Implementation Guide V-205653CAT IWindows Server 2019 reversible password encryption must be disabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205654CAT IWindows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254293CAT IWindows Server 2022 reversible password encryption must be disabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254474CAT IWindows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278040CAT IWindows Server 2025 reversible password encryption must be disabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260911CAT IISwarm Secrets or Kubernetes Secrets must be used.Mirantis Kubernetes Engine Security Technical Implementation Guide V-279349CAT IMongoDB must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-202064CAT IThe network device must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash for password-based authentication.Network Device Management Security Requirements Guide V-279604CAT INutanix OS must store only encrypted representations of passwords.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279686CAT INutanix AHV must store only encrypted representations of passwords.Nutanix Acropolis GPOS Security Technical Implementation Guide V-219774CAT IIThe DBMS must support organizational requirements to enforce password encryption for storage.Oracle Database 11.2g Security Technical Implementation Guide V-221677CAT IIThe Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.Oracle Linux 7 Security Technical Implementation Guide V-221678CAT IIThe Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.Oracle Linux 7 Security Technical Implementation Guide V-221680CAT IIThe Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.Oracle Linux 7 Security Technical Implementation Guide V-255902CAT IIThe Oracle Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.Oracle Linux 7 Security Technical Implementation Guide V-248533CAT IIOL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.Oracle Linux 8 Security Technical Implementation Guide V-248534CAT IIOL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.Oracle Linux 8 Security Technical Implementation Guide V-248535CAT IIThe OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.Oracle Linux 8 Security Technical Implementation Guide V-271622CAT IIOL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.Oracle Linux 9 Security Technical Implementation Guide V-271623CAT IIOL 9 must be configured to use the shadow file to store only encrypted representations of passwords.Oracle Linux 9 Security Technical Implementation Guide V-271624CAT IIOL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.Oracle Linux 9 Security Technical Implementation Guide V-271625CAT IIOL 9 password-auth must be configured to use a sufficient number of hashing rounds.Oracle Linux 9 Security Technical Implementation Guide V-271626CAT IIOL 9 system-auth must be configured to use a sufficient number of hashing rounds.Oracle Linux 9 Security Technical Implementation Guide V-271627CAT IIOL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.Oracle Linux 9 Security Technical Implementation Guide V-271628CAT IIOL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.Oracle Linux 9 Security Technical Implementation Guide V-235138CAT IIIf passwords are used for authentication, the MySQL Database Server 8.0 must store only hashed, salted representations of passwords.Oracle MySQL 8.0 Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-254567CAT IIRancher RKE2 must store only cryptographic representations of passwords.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-281217CAT IIRHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281218CAT IIRHEL 10 must be configured to use a sufficient number of hashing rounds for the shadow password suite.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281219CAT IIRHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication by ensuring that the pam_unix.so module is configured in the "system-auth" file.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281220CAT IIRHEL 10 must be configured so that password-auth uses a sufficient number of hashing rounds.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281221CAT IRHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored passwords.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281222CAT IRHEL 10 must be configured to use the shadow file to store only encrypted representations of passwords.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281223CAT IRHEL 10 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230231CAT IIRHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230232CAT IIRHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230233CAT IIThe RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258099CAT IIRHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258100CAT IIRHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258116CAT IIRHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258117CAT IIRHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258231CAT IIRHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258233CAT IIRHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251223CAT IIIf passwords are used for authentication, Redis Enterprise DBMS must store only hashed, salted representations of passwords.Redis Enterprise 6.x Security Technical Implementation Guide V-275657CAT IUbuntu OS must store only encrypted representations of passwords.Riverbed NetIM OS Security Technical Implementation Guide V-256090CAT IThe Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.Riverbed NetProfiler Security Technical Implementation Guide V-217123CAT IIThe SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217124CAT IIThe SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217126CAT IIThe SUSE operating system must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216333CAT IISystems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.Solaris 11 SPARC Security Technical Implementation Guide V-216098CAT IISystems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.Solaris 11 X86 Security Technical Implementation Guide V-253064CAT IITOSS must store only encrypted representations of passwords.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282455CAT IITOSS 5 password-auth must be configured to use a sufficient number of hashing rounds.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282456CAT IITOSS 5 system-auth must be configured to use a sufficient number of hashing rounds.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282457CAT IITOSS 5 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282458CAT IITOSS 5 must be configured to use the shadow file to store only encrypted representations of passwords.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282459CAT IITOSS 5 shadow password suite must be configured to use a sufficient number of hashing rounds.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282460CAT IITOSS 5 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored passwords.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282461CAT IIThe TOSS 5 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234374CAT IIFor UEM server using password authentication, the application must store only cryptographic representations of passwords.Unified Endpoint Management Server Security Requirements Guide V-207376CAT IIThe VMM must store only encrypted representations of passwords.Virtual Machine Manager Security Requirements Guide V-207256CAT IIFor site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).Virtual Private Network (VPN) Security Requirements Guide V-264349CAT IIThe web server must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide