Use of cleartext passwords in the Password Manager must be disabled

From Google Chrome v24 Windows STIG

Part of DTBC0010 - Disable cleartext passwords in Password Manager

Associated with IA controls: ECSC-1

Associated with: CCI-001588

SV-47044r2_rule Use of cleartext passwords in the Password Manager must be disabled

Vulnerability discussion

Cleartext passwords would allow another individual to see password via shouldersurfing."Controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window. If you enable or do not set this policy, users can view their passwords in clear text in the password manager.." - Google Chrome Administrators Policy List

Check content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If PasswordManagerAllowShowPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the PasswordManagerAllowShowPasswords value name does not exist or its value data is not set to 0, then this is a finding.

Fix text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: PasswordManagerAllowShowPasswords Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password manager\ Policy Name: Allow users to show passwords in Password Manager Policy State: Disabled Policy Value: N/A

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer