This is STIG violation and as we know not good practice especially since it is in clear text. we can use the same approach that geoserver does and write the username password in a separate file and encrypt it. here is a segment from STIGs:
The system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for generating password hashes.
• We are currently using MD5 for the database because that is the best available out of the box w/ PGIS. Our statement is we will move to develop a FIPS compliant when required.
Ensure the application transmits account passwords in an approved encrypted format.
1. If these encryption settings have not been turned on, this is a CAT II finding.
⁃ If the data encryption functionality is not configurable and the identification and authentication information is stored in ASCII or another readable format, examine the actual data to determine if they are in clear text.
2. If the authentication data is readable, this is a CAT I finding.
The designer will ensure the application stores account passwords in an approved encrypted format.
The designer will ensure the application transmits account passwords in an approved encrypted format.
(APP3350: CAT I) The Designer will ensure the application does not contain embedded authentication data.
(APP3360: CAT II) The Designer will ensure the application protects access to authentication data by restricting access to authorized users and services.
All account passwords, both administrative and non-administrative, must comply with the following:
• Passwords must be at least 15 characters long.
• Passwords must contain a mix of upper case letters, lower case letters, numbers, and special characters.
• When a password is changed, users must not be able to use personal information such as names, telephone numbers, account names, or dictionary words.
• Passwords must expire after 60 days.
• Users must not be able to reuse any of their previous 10 passwords.
• Users must not be able to change passwords more than once a day, except in the case of an administrator or a privileged user. Privileged users may be required to reset a user’s forgotten passwords and the ability to change passwords more than once per day.
• When a password is changed, the new password must differ from the previous password by at least four characters.
This is STIG violation and as we know not good practice especially since it is in clear text. we can use the same approach that geoserver does and write the username password in a separate file and encrypt it. here is a segment from STIGs:
The system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for generating password hashes.
• We are currently using MD5 for the database because that is the best available out of the box w/ PGIS. Our statement is we will move to develop a FIPS compliant when required.
Ensure the application transmits account passwords in an approved encrypted format.
The designer will ensure the application stores account passwords in an approved encrypted format.
The designer will ensure the application transmits account passwords in an approved encrypted format.
(APP3350: CAT I) The Designer will ensure the application does not contain embedded authentication data.
(APP3360: CAT II) The Designer will ensure the application protects access to authentication data by restricting access to authorized users and services.
All account passwords, both administrative and non-administrative, must comply with the following:
• Passwords must be at least 15 characters long.
• Passwords must contain a mix of upper case letters, lower case letters, numbers, and special characters.
• When a password is changed, users must not be able to use personal information such as names, telephone numbers, account names, or dictionary words.
• Passwords must expire after 60 days.
• Users must not be able to reuse any of their previous 10 passwords.
• Users must not be able to change passwords more than once a day, except in the case of an administrator or a privileged user. Privileged users may be required to reset a user’s forgotten passwords and the ability to change passwords more than once per day.
• When a password is changed, the new password must differ from the previous password by at least four characters.