Password fields show dots, not the characters typed.
What it actually means
The simplest control in the family: login interfaces must mask authentication input (the classic password dots) so it isn't exposed on screen. Standard on every modern system — the task is confirming no custom login form leaks it.
Pass or fail — an assessor needs a "yes" to each
- All login interfaces mask password entry.
- No custom/legacy form displays credentials in clear text.
What to have ready
- Confirmation across login interfaces (incl. any custom apps)
Where teams trip up
- A homegrown app that shows the password
- A 'show password' default left on in a sensitive context
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →