Navigate

Check: WN12-CC-000076

Windows 2012 IAVM: WN12-CC-000076 (in version v1 r30)

Title

The password reveal button must not be displayed. (Cat II impact)

Discussion

Visible passwords may be seen by nearby persons, compromising them. The password reveal button can be used to display an entered password and must not be allowed.

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ Value Name: DisablePasswordReveal Type: REG_DWORD Value: 1

Fix Text

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Credential User Interface -> "Do not display the password reveal button" to "Enabled".

Additional Identifiers

Rule ID:

Vulnerability ID: V-36700

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000206	Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-6	Authenticator Feedback