Passwords are always cryptographically protected — never plain text.
What it actually means
Passwords must be hashed at rest and protected (TLS) in transit — never stored or sent in plain text. A managed identity provider does this automatically; the risk is almost always a homegrown app, script, spreadsheet, or config file holding credentials in the clear.
Pass or fail — an assessor needs a "yes" to each
- Passwords are salted-hashed in storage (handled by the identity provider).
- Passwords are transmitted only over TLS.
- No plaintext passwords in apps, scripts, configs, or spreadsheets.
What to have ready
- Identity-provider documentation of hashing
- Confirmation that custom apps don't store plaintext credentials
- Secrets-management approach for any service credentials
Where teams trip up
- Credentials hardcoded in scripts or config files
- A spreadsheet or doc of shared passwords
- Internal apps storing passwords reversibly
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →