Benefits:
Thwarts Social Engineering: By not revealing if a username or password is incorrect, attackers can't trick users into giving away valid information. Imagine someone standing behind you, trying to see what you type. Obscured feedback makes it impossible for them to learn your credentials through "shoulder surfing".
Reduces User Frustration: We all mistype sometimes! Obscure feedback prevents users from knowing exactly which part (username or password) was wrong. This avoids discouragement during login attempts, especially when users might be entering complex passwords.
Accountability:
Senior Management: Sets the security tone and allocates resources for implementing and enforcing obscure feedback mechanisms. They ensure IT security policies reflect this control and hold individuals accountable.
IT Security Team: They implement and maintain technical controls like masking characters during password entry. They also educate users on identifying phishing attempts that might reveal credentials.
System Owners: They ensure their specific systems adhere to the organization's security policies. This might involve configuring login screens to mask passwords or implementing multi-factor authentication.
Individual Users: They are responsible for practicing good security hygiene. This includes choosing strong passwords and avoiding entering them in public places where someone could see the screen. They should also report any suspicious login attempts.
Implementation:
Generic Messages: Instead of saying "Wrong username" or "Incorrect password," the system simply displays a generic message like "Login failed." This keeps the attacker in the dark.
Deliberate Delays: The system can introduce a short pause after each login attempt, regardless of success. This makes it difficult to tell if a specific try was incorrect based on how quickly the response comes back.
Limited Attempts: This is a common approach. The system allows a set number of login tries. After exceeding the limit, the account gets locked or requires additional verification, stopping brute-force attacks where attackers try endless combinations.