CMMC Practice IA.L2-3.5.11

Obscure feedback of authentication information.

Bold Coast Security Guidance

Most systems will obscure passwords as you type them by default. Do not use a system which cannot do this! The practice does make allowances for today's mobile devices with their smaller screens, which often display a password character for a moment or two allowing the user to verify passwords were entered correctly.

Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms . For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards . Therefore, the means for obscuring the authenticator feedback is selected accordingly . Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.