16.4: Encrypt or Hash All Authentication Credentials
Encrypt or hash with a salt all authentication credentials when stored.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Protect |
2, 3 |
Dependencies
Sub-control 16.1: Inventory of Authentication Systems
Inputs
Inventory of Authentication Systems (for each, include any related components used for credential storage for that authentication system such as any databases that require configuration independent of the authentication system)
Approved configuration(s) to ensure that all credentials are encrypted and/or hashed with a salt when stored. There may be multiple configurations to handle the different types of authentication systems used in the organization, and configurations may also be required for related components involved in storing this data (i.e. database configurations).
Operations
For each authentication system provided in Input 1 (along with any listed related components), check to see if it is configured properly according to the appropriate configuration(s) provided in Input 2.
Create a list of the authentication systems that are properly configured (M1)
Create a list of the authentication systems that are not properly configured (M2) including the deviations from proper configuration (if any related component identified in Input 1 is not configured according to the appropriate configuration, then its associated authentication system should be considered improperly configured, and the specific component should be noted as part of the deviation from proper configuration).
Measures
M1 = List of properly configured authentication systems (compliant list)
M2 = List of improperly configured authentication systems (non-compliant list)
M3 = Count of properly configured authentication systems (count of M1)
M4 = Total count of authentication systems (count of Input 1)
Metrics
Coverage
Metric |
The ratio of properly configured authentication systems to the total number of
authentication systems.
|
Calculation |
|