Passwords must by default not be visible during entry (only when prompted by the user as a usability feature).
Passwords are not visible in any other way (including to administrators) and are not stored in a way that can be reversed.
If passwords/secrets are stored, they must be stored in an appropriate password vault service.
Specification
Passwords need to be hashed and salted (ideally using a unique salt per user) according to https://www.nist.gov/publications/secure-hash-standard or a superseding standard.
ISO 27001 & 27002:2022
A5.3, A5.8, A5.15, A5.16, A5.17, A5.18, A8.3
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.02 Authentication mechanisms