CMMC Level 2
Control 3.5.11
Obscure Feedback of Authentication Information
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Obscure feedback of authentication information.
What This Means in Plain English
When users type passwords, the characters should be masked (shown as dots or asterisks). Error messages should not reveal whether it was the username or password that was wrong, to avoid helping attackers.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Windows logon screens displaying password fields with masked characters (dots)
- Web application login pages masking password input and displaying generic error messages
- Microsoft Entra sign-in pages using generic 'sign-in failed' messages without specifying cause
- FortiGate VPN portal masking credential fields and providing generic authentication failure messages
- Application development standards requiring password masking and generic error responses
Assessment Guidance
Assessors will test login interfaces for password masking, verify that authentication error messages do not reveal whether the username or password was incorrect, check that password fields use appropriate input masking, and review web application login pages.
Common Implementation Gaps
- Login pages revealing whether the username or password was incorrect
- Password fields not masked on custom applications
- API responses indicating 'user not found' vs 'wrong password'
- Password visible in URL parameters or browser address bar
- Application logs recording clear-text passwords in failed authentication attempts
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-6 |
Need Help Implementing 3.5.11?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment