Title: DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
Vulnerability ID: V-32473
IA Controls: None
Description: Password maximum lifetime is the maximum period of time, (typically in days) a user’s password may be in effect before the user is forced to change it.
Passwords need to be changed at specific policy based intervals as per policy. Any password no matter how complex can eventually be cracked.
One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised.
The storage of passwords in application source or batch job code that is compiled, encoded, or encrypted prevents compliance with password expiration and other management requirements, as well as provides another means for potential discovery.
Check Text: Review application source code required to be encoded or encrypted for database accounts used by applications or batch jobs to access the database.
Review source batch job code prior to compiling, encoding, or encrypting for database accounts used by applications or the batch jobs themselves to access the database.
Determine if the compiled, encoded, or encrypted application source code or batch jobs contain passwords used for authentication to the database.
If any of the identified compiled, encoded, or encrypted application source code or batch job code do contain passwords used for authentication to the database, this is a finding.
Fix Text: Design DBMS application code and batch job code that is compiled, encoded, or encrypted to NOT contain passwords.[divider]