Audits
Settings
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Theme
Light
Dark
Auto
Help
Plugins
Overview
Plugins Pipeline
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Release Notes
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Policies
Overview
Search
AWS Resources
Azure Resources
GCP Resources
Kubernetes Resources
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Settings
Theme
Light
Dark
Auto
Detections
Plugins
Overview
Plugins Pipeline
Release Notes
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Policies
Overview
Search
AWS Resources
Azure Resources
GCP Resources
Kubernetes Resources
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
Analytics
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Audits
References
CCI
CCI-004062
CCI
CCI|CCI-004062
Title
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
Reference Item Details
Reference:
CCI - DISA Control Correlation Identifier
Category:
2024
Audit Items
View all Reference Audit Items
Name
Plugin
Audit Name
CISC-ND-000620 - The Cisco router must only store cryptographic representations of passwords.
Cisco
DISA STIG Cisco IOS XE Router NDM v3r1
CISC-ND-000620 - The Cisco router must only store cryptographic representations of passwords.
Cisco
DISA STIG Cisco IOS Router NDM v3r1
CISC-ND-000620 - The Cisco switch must only store cryptographic representations of passwords.
Cisco
DISA STIG Cisco IOS Switch NDM v3r1
CISC-ND-000620 - The Cisco switch must only store cryptographic representations of passwords.
Cisco
DISA STIG Cisco IOS XE Switch NDM v3r1
CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables.
Unix
DISA STIG Kubernetes v2r1
EPAS-00-004300 - If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.
PostgreSQLDB
EnterpriseDB PostgreSQL Advanced Server DB v2r1
JUEX-NM-000330 - The Juniper EX switch must be configured to only store cryptographic representations of passwords.
Juniper
DISA Juniper EX Series Network Device Management v2r1
MADB-10-003800 - If passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.
MySQLDB
DISA MariaDB Enterprise 10.x v2r1 DB
MYS8-00-005100 - If passwords are used for authentication, the MySQL Database Server 8.0 must store only hashed, salted representations of passwords.
MySQLDB
DISA Oracle MySQL 8.0 v2r1 DB
O112-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
Unix
DISA STIG Oracle 11.2g v2r5 Linux
O112-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
Windows
DISA STIG Oracle 11.2g v2r5 Windows
O121-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
Unix
DISA STIG Oracle 12c v3r1 Linux
O121-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
Windows
DISA STIG Oracle 12c v3r1 Windows
OL08-00-010110 - OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
Unix
DISA Oracle Linux 8 STIG v2r1
OL08-00-010120 - OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA Oracle Linux 8 STIG v2r1
OL08-00-010130 - The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
Unix
DISA Oracle Linux 8 STIG v2r1
RHEL-09-611050 - RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r1
RHEL-09-611055 - RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r1
RHEL-09-611135 - RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r1
RHEL-09-611140 - RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r1
RHEL-09-611150 - RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r1
RHEL-09-671015 - RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r1
RHEL-09-671025 - RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r1
SLES-15-020170 - The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords - PAM to only store encrypted representations of passwords.
Unix
DISA SLES 15 STIG v2r1
SLES-15-020180 - The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA SLES 15 STIG v2r1
SLES-15-020190 - The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA SLES 15 STIG v2r1
SOL-11.1-040130 - Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
Unix
DISA STIG Solaris 11 X86 v3r1
SOL-11.1-040130 - Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
Unix
DISA STIG Solaris 11 SPARC v3r1
UBTU-22-611055 - Ubuntu 22.04 LTS must store only encrypted representations of passwords.
Unix
DISA STIG Canonical Ubuntu 22.04 LTS v2r1
WN10-AC-000045 - Reversible password encryption must be disabled.
Windows
DISA Windows 10 STIG v3r1
WN10-SO-000195 - The system must be configured to prevent the storage of the LAN Manager hash of passwords.
Windows
DISA Windows 10 STIG v3r1
WN11-AC-000045 - Reversible password encryption must be disabled.
Windows
DISA Windows 11 STIG v2r1
WN11-SO-000195 - The system must be configured to prevent the storage of the LAN Manager hash of passwords.
Windows
DISA Windows 11 STIG v2r1
WN19-AC-000090 - Windows Server 2019 reversible password encryption must be disabled.
Windows
DISA Windows Server 2019 STIG v3r1
WN19-SO-000300 - Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
Windows
DISA Windows Server 2019 STIG v3r1
WN22-AC-000090 - Windows Server 2022 reversible password encryption must be disabled.
Windows
DISA Windows Server 2022 STIG v2r1
WN22-SO-000300 - Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.
Windows
DISA Windows Server 2022 STIG v2r1
