The information resource shall obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.


  • The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.


  • 1

    It is the responsibility of the information resource owner, or designee, to ensure measures are enacted to protect authentication information including, but not limited to:

    • 1.1

      Passwords are masked upon key entry; and

    • 1.2

      Failed login boxes do not indicate which part of the username/password combination is incorrect.