Ensuring Credential Input Obscurity
Passwords and personal credentials are hidden when entered in systems to enhance security.
Plain language
When you enter a password or personal details into a system, this control ensures that information isn't visible to anyone nearby. This matters because if someone can see your credentials as you type, they could misuse them to access sensitive information or systems they shouldn't.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Protecting CredentialsOfficial control statement
Credentials are obscured as they are entered into systems.
Why it matters
If credential entry fields are not masked (e.g., password dots), shoulder-surfers or screen recording can capture credentials and enable unauthorised access.
Operational notes
Verify all login and admin forms mask passwords/PINs, including remote sessions; test after updates, and audit configurations to prevent plaintext entry display.
Implementation tips
- IT team should ensure password fields in all systems obscure text by default. Implement this by configuring the systems to display dots or asterisks instead of characters in password input fields.
- System owners should conduct regular checks to confirm that login screens across all platforms maintain obscurity of credentials. This can be done by manually testing each system to ensure that passwords are hidden as they are typed.
- Managers should train staff about the importance of entering passwords discreetly and ensuring others cannot see their screens. Conduct short workshops or include reminders in newsletters to emphasise the need for privacy during login.
- Procurement should ensure any new software or system includes credential obscurity features. This can be achieved by including 'password obscurity' as a requirement in purchasing specifications and check during product demonstrations.
- IT support should ensure screen protecting films are available for computers and devices prone to shoulder surfing. These films can limit viewing angles so only the person directly in front of the screen can read it.
Audit / evidence tips
- AskA list of all systems where credentials are entered GoodIs when all systems show clear evidence of this setup
- GoodIs well-attended sessions with presentations that address this specifically
- AskRecent procurement specifications for software GoodIs clear specifications mandating the feature and documentation showing it was checked during acquisition
- GoodIs a documented review process with specific checks for credential obscurity at regular intervals
- AskTo see the availability list of privacy screens or similar measures GoodIs evidence that screens have been made accessible to users who need them
Cross-framework mappings
How ISM-1597 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.26 | ISM-1597 requires credentials to be obscured as they are entered into systems, which is an explicit security requirement for authenticati... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires organisations to manage authentication information securely and to advise personnel on appropriate handling | |
| handshake Supports (1) expand_less | ||
| Annex A 8.29 | ISM-1597 requires credentials to be obscured as they are entered into systems, implying the organisation must implement and validate secu... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.