3.5.11 — Mask the Password Field

The One-Liner

Dots or asterisks in the password field. Simple, obvious, and still missed on some custom applications and admin tools.

What It Says

Obscure feedback of authentication information.

What It Actually Means

Don’t show passwords on screen as they’re typed. Mask authentication fields with dots or asterisks. This prevents shoulder surfing — someone watching your screen as you type.

Most modern systems do this by default. The risk is in three places:

1. Custom applications — internally developed tools that display passwords in input fields
2. Admin CLI tools — command-line interfaces that echo passwords to the terminal
3. ‘Show password’ toggles — some applications have a toggle that reveals the password and leaves it visible indefinitely

The assessor may walk around the office during a login demonstration and check that password fields are masked. It’s a low-point requirement (1 point) but an easy one to satisfy — or to fail if you have a custom app nobody thought to check.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is feedback of authentication information obscured during the authentication process?	Password fields masked with dots/asterisks across all login interfaces

---

What to Have Ready on Assessment Day

Documents they’ll review: Identification and authentication policy; system security plan; system design documentation; system configuration settings

People they’ll talk to: Personnel with information security responsibilities; system developers

Live demos they’ll ask for: Mechanisms supporting or implementing authentication feedback obscuring

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Are all password fields masked across your applications?”
• “Do any custom or internal applications display passwords in clear text?”
• “Do your CLI admin tools echo passwords to the screen?”
• “Is there a ‘show password’ feature on any login page? How does it behave?”

Real-World Example

A contractor audits all login interfaces: Windows login (masked by default), web applications (HTML password fields — masked), VPN client (masked), cloud app logins (masked). They find one internal tool where the admin CLI echoes the password. The developer updates it to use a secure input method that masks characters. The assessor tests by logging into each interface and confirming password masking.

---

Where Companies Trip Up

Custom app with visible passwords. An internally built tool that displays the password in the input field. Developer fix — change the input type to ‘password’.

CLI tools echoing passwords. Running a script that prompts for a password and echoes it to the terminal. Use secure input methods (Read-Host -AsSecureString in PowerShell, getpass in Python).

Passwords visible in URL bar. A web application that passes credentials as URL parameters, visible in the address bar. Fix the application to use POST instead of GET for login.

Show-password toggle with no auto-hide. ‘Show password’ button that reveals the password and leaves it visible indefinitely. Implement an auto-hide after 2-3 seconds or on mouse-up.

---

How to Talk About This

To a CEO or Board

All password fields are masked across every application and tool in our environment. Simple, but verified.

To an Engineering Team

All login interfaces audited for password masking. HTML inputs: type=‘password’. CLI tools: secure input methods. Custom apps included in audit. ‘Show password’ toggles: auto-hide after 3 seconds. Verified annually.

---

Connected Requirements

Requirement	Why it matters here
3.5.10 — Never Plain Text	Passwords protected in storage and transit; this protects them on screen
3.1.10 — Lock the Screen	Screen lock prevents viewing of any data including masked password fields

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: IA.L2-3.5.11 | SPRS Weight: 1 point | POA&M Eligible: Yes