Password management is a crucial part of securing any system. Implementing strong policies and practices around passwords can go a long way in preventing unauthorized access to sensitive data and systems. The Cloud Security Alliance provides guidance on securely managing passwords in their Cloud Controls Matrix.

Where did this come from?

This article is based on control IAM-15 from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full CCM here: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4

The CCM compiles security guidance from many industry standards and best practices. For more information on password management, check out:

• NIST 800-63B Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html
• OWASP Password Storage Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
• CIS Controls Version 8 - Control 6 Access Control Management: https://www.cisecurity.org/controls/cis-controls-list

Who should care?

This guidance is relevant for:

• System administrators responsible for configuring authentication mechanisms
• Developers building password-based login functionality
• Security architects defining authentication policies and standards
• IT managers overseeing access control processes

What is the risk?

Weak password practices open up major security holes:

• Attackers can easily guess or brute-force weak, default, or reused passwords to gain unauthorized access
• Unencrypted passwords transmitted over networks can be intercepted
• Passwords stored in clear text are exposed if the password database is breached
• Shared accounts mean you can't audit who did what

The impact can be severe - sensitive data exposure, malware infection, fraud, reputation damage, and more. Most data breaches involve compromised credentials.

What's the care factor?

Everyone should care a lot about getting password management right. It's Security 101. The risk is high and exploiting weak passwords is one of the easiest and most common ways for attackers to break in.

Compared to other security controls, basic password management is relatively low effort for a big risk reduction. There's really no excuse for leaving default passwords or storing them in clear text these days.

That said, some of the password complexity requirements can be a usability nightmare and lead to people writing down passwords. Things like frequent mandatory password changes and not allowing any dictionary words have been shown to do more harm than good. Focus on a reasonable minimum bar for length/complexity along with secure storage and transmission.

When is it relevant?

You need to think about password management anytime you are implementing password-based authentication for users, admins, or system/service accounts.

Most cloud services come with secure password management functionality out of the box. The risk comes from misconfiguration or custom implementations.

You may be able to skip some of this if you are using a more secure authentication method like:

• Passwordless using hardware security keys
• Biometrics like fingerprint or face ID
• Certificates for machine authentication

But you still probably have some passwords to manage (ex: root/break glass accounts) even in a mostly passwordless setup. And a lot of this guidance around secure storage and transmission still applies to other secrets like API keys.

What are the trade offs?

Proper password management requires additional engineering effort to securely hash and encrypt passwords. It can slow down development, especially if retrofitting older apps.

Enforcing some password complexity requirements can hurt user experience, especially things like frequent mandatory resets and not allowing any dictionary words (leads to hard-to-remember passwords). Need to balance security and usability.

Some legacy systems may not support modern password hashing or encryption. You may need to upgrade/rearchitect those components or put compensating controls in place.

How to make it happen?

Here are the key steps to implement the secure password management practices from the CCM:

1. Eliminate any default/built-in accounts and passwords that come with systems.
2. Require strong passwords. At a minimum:
   • 8 character minimum (prefer 12+)
   • Mixture of upper/lowercase, numbers, special characters
   • Disallow common weak passwords (ex: "password", "123456", etc.)
   • Don't allow the username as part of the password
3. Store passwords securely
   • Use a secure hash function like bcrypt, scrypt, PBKDF2, or Argon2
   • Salt each password hash
   • Never store passwords in clear text!
4. Encrypt passwords in transit using TLS. Disable any insecure protocols like Telnet.
5. Implement a secure password reset process that verifies the user's identity (ex: email link with a time-limited token). Don't send passwords over insecure channels like email.
6. Automatically force a password change on first login for any new/reset account
7. Configure a reasonable max password age (ex: 90 days) and limit password reuse when changed (remember last 5+)
8. Educate users on selecting strong, unique passwords and not sharing them. Encourage password manager use.
9. Disallow shared/generic accounts. Each user needs their own unique login.

What are some gotchas?

Some common mistakes when implementing password management:

• Forgetting to remove/disable default accounts that come with systems
• Allowing weak passwords like "password123"
• Emailing users their password in clear text after a reset
• Letting users pick security questions that are easily guessed/researched
• Storing password histories and checking the new password against that (password reuse limits should only apply going forward)

Make sure any libraries/frameworks you use for authentication are up-to-date and properly configured. A lot of websites get popped because they are using old, vulnerable plugins.

Specific permissions that may be needed:

• IAM permissions to set account password policies (ex: iam:UpdateAccountPasswordPolicy)
• KMS permissions for encrypting passwords (ex: kms:Encrypt, kms:Decrypt)

What are the alternatives?

Passwords are by far the most common form of authentication, but consider these more secure alternatives where possible:

• Multi-factor authentication (MFA) using a hardware token or authenticator app as the second factor
• Passwordless authentication using methods like WebAuthn/FIDO2 security keys
• Biometrics like fingerprint or facial recognition (as a second factor)
• Certificates for machine-to-machine authentication

Even if you can't fully eliminate passwords, adding a second factor makes it much harder for attackers to break in with a stolen password.

Explore further

• NIST 800-63B Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html
• OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
• CIS Controls v8 - Control 6 Access Control Management: https://www.cisecurity.org/controls/access-control-management

This control also relates to:

• IAM-09: Separation of Duties
• DSP-05: Data Leakage Prevention

The key message is don't let poor password management be your Achilles heel. Implementing some basic hygiene like strong complexity requirements, secure storage, and removing default passwords will stop a lot of attacks in their tracks. Add in MFA for an extra layer of protection. Like eating your vegetables, password management isn't always fun but it's good for your (security) health!

‍