DISA Login STIGs

The Defense Information Systems Agency (DISA) hosts a repository for Security Technical implementation Guides (STIGs). The STIGs are a configuration standard consisting of cybersecurity requirements for specific products. The use of STIGs enables a methodology for securing protocols within networks, servers, computers, and logical designs to enhance overall security. These guides, when implemented, enhance security for software, hardware, physical and logical architectures to further reduce vulnerabilities.

The website that hosts STIGs can be found here: https://public.cyber.mil/stigs/

For developing applications there is a specific STIG that applies.  The Application Security and Development STIG also known as the “App Dev STIG”.  

The App Dev STIG is very broad in nature because it pertains to all application development.  There are checks in the App Dev STIG that pertain to web applications, mobile application, and/or desktop applications.   

The checklist contains 286 checks partitioned out as 32 CAT I, 232 CAT II, and 22 CAT III checks.  The CAT I checks pertain to the most serious vulnerabilities.

The App Dev STIG has two CAT I checks that deal with logon interfaces:

Application Security and Development Security Technical Implementation Guide :: Version 6
Benchmark Date: 12 Feb 2025

Vul ID: V-222554

Rule ID: SV-222554r508029_rule

STIG ID: APSC-DV-001850

Severity: CAT I

Classification: Unclass

Legacy IDs: V-70157; SV-84779

Rule Title: The application must not display passwords/PINs as clear text.

Discussion: To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism.

Obfuscation of user-provided information when typed into the system is a method used in addressing this risk.

For example, displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.

Another method is to display authentication feedback for a very limited time, usually in fractions of a second. This occurs during password character entry where the password characters are displayed for a very small window of time and then automatically obfuscated. This allows users with just enough time to confirm their password as they type it while limiting the ability of "shoulder surfers" to covertly witness the values.

A common tactic employed to circumvent password obfuscation is to copy the obfuscated password and paste it to a text file. Proper obfuscation techniques will not paste the clear text password.

Check Text: Ask the application admin to log on to the application.

Observe the authentication process and verify any display feedback provided when the admin enters her/his password is obfuscated and not clear text.

For applications that display authentication feedback for a very limited time, ensure the feedback time the character is displayed is only momentary i.e., fractions of a second.

Using a text editor, copy the obfuscated password and paste to a text file. Do not save the file.

If the application displays clear text when the password/PIN is entered, or if the time period for displayed feedback exceeds fractions of a second, or if the clear text password/PIN is displayed when pasted, this is a finding.

Fix Text: Configure the application to obfuscate passwords and PINs when they are being entered so they cannot be read.

Design the application so obfuscated passwords cannot be copied and then pasted as clear text.

References

CCI: CCI-000206: The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
NIST SP 800-53 :: IA-6
NIST SP 800-53A :: IA-6.1
NIST SP 800-53 Revision 4 :: IA-6

Application Security and Development Security Technical Implementation Guide :: Version 6
Benchmark Date: 12 Feb 2025

GROUP ID: V-222542

RULE ID: SV-222542r1015704

STIG ID: APSC-DV-001740

SEVERITY: CAT I

LEGACY IDS: V-69567, SV-84189

CLASSIFICATION: Unclassified 

Rule Title: The application must only store cryptographic representations of passwords.

Discussion: Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations where a user ID and password might be used include but are not limited to: - When the application user base does not have a CAC and is not a current DOD employee, member of the military, or a DOD contractor. - When an application user has been officially designated as a Temporary Exception User; one who is temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied. - When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection. Passwords need to be protected at all times and using a strong one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered and the one way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised. In many instances, verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random SALT value as follows: H0 = H(pwd, H(salt)) Hn = H(Hn-1,H(salt)) Where n is a cryptographically-strong random [*3] number. Hn is stored, along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares Hn with the stored Hn. A SALT is essentially a fixed-length cryptographically-strong random value. Another method used is utilizing a keyed hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key. Applications must only store passwords that have been cryptographically protected.

Check Text: Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.

If the application does not use passwords, this requirement is Not Applicable.

Have the application administrator identify the application's password storage locations. Potential locations include the local file system where the application is stored or in an application-related database table that should not be accessible to application users.

Review application files and folders using a text editor or by using a database tool that allows you to view data stored in database tables. Look for indications of stored user information and review that information. Determine if password strings are readable/discernable.

Determine if the application uses the MD5 hashing algorithm to create password hashes.

If the passwords are readable or there is no indication the application utilizes cryptographic hashing to protect passwords, or if the MD5 hash algorithm is used to create password hashes, this is a finding.

Fix Text: Use strong cryptographic hash functions when creating password hash values.

Utilize random salt values when creating the password hash.

Ensure strong access control permissions on data files containing authentication data.

References:

CCI-004062

For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

• NIST SP 800-53 Revision 5 :: IA-5 (1) (d)

CCI-000196

The information system, for password-based authentication, stores only cryptographically-protected passwords.

• NIST SP 800-53 :: IA-5 (1) (c)

• NIST SP 800-53 Revision 4 :: IA-5 (1) (c)

• NIST SP 800-53A :: IA-5 (1).1 (v)

Application Security and Development Security Technical Implementation Guide :: Version 6
Benchmark Date: 12 Feb 2025

Vul ID: V-222432

Rule ID: SV-222432r508029_rule

STIG ID: APSC-DV-000530

Severity: CAT I

Classification: Unclass

Legacy IDs: V-69343; SV-83965

Rule Title: The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.

Discussion: By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.

Limits are imposed by locking the account.

User notification when three failed logon attempts are exceeded is an operational consideration determined by the application owner. In some instances the operational situation may dictate that no notice is to be provided to the user when their account is locked. In other situations, the user may be notified their account is now locked. This decision is left to the application owner based upon their operational scenarios.

Check Text: All testing must be performed within a 15-minute window.

Log Onto the application with a test user account.

Intentionally enter an incorrect user password or pin.

Repeat 2 times within 15 minutes for a total of three failed attempts.

Notification of a locked account may or may not be provided.

Using the correct user password or pin, attempt to logon a 4th time.

If the logon is successful upon the 4th attempt the account was not locked after the third failed attempt and this is a finding.

Fix Text: Configure the application to enforce an account lock after 3 failed logon attempts occurring within a 15-minute window.

References

CCI: CCI-000044: The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
NIST SP 800-53 :: AC-7 a
NIST SP 800-53A :: AC-7.1 (ii)
NIST SP 800-53 Revision 4 :: AC-7 a