Controls

Terug naar overzicht
Version

SB.9.010 Password Visibility

Identity & Access Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description

Passwords must by default not be visible during entry (only when prompted by the user as a usability feature).

Passwords are not visible in any other way (including to administrators) and are not stored in a way that can be reversed.

If passwords/secrets are stored, they must be stored in an appropriate password vault service.

Specification

Passwords need to be hashed and salted (ideally using a unique salt per user) according to https://www.nist.gov/publications/secure-hash-standard or a superseding standard.