SB.9.010 Password Visibility
Passwords must by default not be visible during entry (only when prompted by the user as a usability feature).
Passwords are not visible in any other way (including to administrators) and are not stored in a way that can be reversed.
If passwords/secrets are stored, they must be stored in an appropriate password vault service.
Passwords need to be hashed and salted (ideally using a unique salt per user) according to https://www.nist.gov/publications/secure-hash-standard or a superseding standard.