3.5.10 — Never Store Passwords in Plain Text
What It Says
Section titled “What It Says”Store and transmit only cryptographically-protected passwords.
What It Actually Means
Section titled “What It Actually Means”Two rules, no exceptions:
At rest — hash passwords. Stored passwords are never in plain text. Use strong hashing algorithms: bcrypt, Argon2, PBKDF2, or scrypt. Active Directory and Entra ID handle this natively. The risk is custom applications and legacy systems that might store passwords in plain text databases or config files.
In transit — encrypt passwords. Passwords are never sent in clear text over any network. LDAPS (not LDAP) for directory authentication. HTTPS (not HTTP) for web logins. Encrypted connections for everything else.
The assessor will specifically check for:
- Is Active Directory using LDAPS or plain LDAP?
- Are there any applications with plain-text password storage?
- Are there passwords embedded in scripts, config files, or environment variables?
- Is email transmitting any passwords in clear text?
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Are passwords cryptographically protected when stored? | Passwords hashed in directory services; no plain-text password storage anywhere |
| 2 | Are passwords cryptographically protected when transmitted? | LDAPS for directory auth, HTTPS for web, encrypted connections everywhere |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Identification and authentication policy; procedures addressing authenticator protection; system security plan; system design documentation; system configuration settings; system audit logs and records
People they’ll talk to: Personnel with system operations responsibilities; personnel with information security responsibilities; system or network administrators; system developers
Live demos they’ll ask for: Mechanisms supporting or implementing authenticator protection
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Is your AD using LDAPS or plain LDAP? Show me the configuration.”
- “Are there any applications that store passwords in plain text?”
- “Are there any scripts or config files with embedded passwords?”
- “How do you transmit initial passwords to new users?”
- “Show me that your web applications use HTTPS for login pages.”
Where Companies Trip Up
Section titled “Where Companies Trip Up”LDAP instead of LDAPS. Plain LDAP transmits passwords in clear text on the network. Enable LDAPS (port 636) and disable plain LDAP.
Passwords in scripts. PowerShell scripts with embedded passwords in plain text. Migrate to credential vaults, managed identities, or certificate-based auth.
Legacy apps with plain-text storage. An old internal application storing passwords in a SQL database without hashing. This needs remediation or retirement.
Password in URL parameters. A web application passing credentials as URL query parameters — visible in browser history, server logs, and proxy logs.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.5.7 — Password Rules | Strong passwords mean nothing if stored in plain text |
| 3.13.8 — Encrypt in Transit | The broader encryption-in-transit requirement that includes password transmission |
| 3.13.11 — FIPS or It Doesn’t Count | The hashing/encryption used must be FIPS-validated |
Implementation
Section titled “Implementation”Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.
Start a conversation →CMMC Practice ID: IA.L2-3.5.10 | SPRS Weight: 5 points | POA&M Eligible: No