3.5.10 — Store and Transmit Only Cryptographically-Protected Passwords

Passwords should never travel across the network in plain text, and they should never be stored in plain text on any system. If an attacker intercepts network traffic or gains access to a password database, they should find only encrypted or hashed values — not usable credentials.

Example 1: Enforce TLS encryption on all authentication traffic. In Active Directory, enable LDAPS by installing a certificate on your domain controllers (via Active Directory Certificate Services or a third-party CA). Verify it is working by running ldp.exe, connecting to your DC on port 636 with SSL. Then disable plain LDAP (port 389) binds by configuring the registry key HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity to require signing.

Example 2: Ensure your web applications and portals use HTTPS exclusively. In IIS Manager, select your site and go to SSL Settings, then check "Require SSL." For internal tools that might still use HTTP login pages, configure an HTTP-to-HTTPS redirect rule under URL Rewrite. On the storage side, verify that your application databases store passwords using bcrypt, scrypt, or PBKDF2 — never MD5 or SHA-1 alone.