What Do the New NIST Password Guidelines Mean for Cloud Security?
Published 11/13/2024
Originally published by Skyhawk Security.
Written by Jennifer Gill.
The common joke around security folks is that everyone knows what a password is, but not many remember their own passwords. But even so- passwords are an essential security mechanism and now, NIST is updating its recommendations regarding passwords policy, and this is a good opportunity to learn why were passwords created and why do we need them for security.
How were the passwords invented and why do we need them at all?
But how did the password come into our lives? In the early 1960s, MIT wanted to allow different researchers to work on the same mainframe computer (IBM 7094). For this purpose, they created different accounts for the users and set a different password for each user (I wonder - were these Pass0, Pass1, Pass2?).
Since then, the password has remained one of the most basic information security measures, and with the Internet and smartphones breaking into our lives, we all use passwords all the time.
How does a password work? At the most basic level, the system we wish to access (let’s say – a Netflix account) has to create an account in our name. In order to log into the account, we will identify ourselves so that the system knows that it is us. To do this, we tell the system who we are (the username – usually it will be our email) and then we give it a piece of information that only we know- the password. The system will check that the password we entered matches the password associated with our user and if there’s a match, we will be allowed to log into the account.
Simple and easy. But sometimes, too easy.
Because people are always looking for shortcuts and have a limited ability to remember a lot of information, most of us will try to choose simple and easy passwords to memorize, something like “1234”, our name or simply “password”. The problem is that over time hackers learned these habits and easily hacked into too many accounts. That’s why information security standards (primarily the previous NIST standard) decided to harden password policies and forced users to create passwords of minimal length (but not too long), to combine uppercase and lowercase letters, numbers and special characters to increase the complexity and reduce the chances of the password being guessed by hackers. Since attackers also started using robotic attacks that ran a large number of combinations in order to guess the password (called Brute force attacks) and also ran all the passwords they know from credential databases leaked (also called Dictionary attack), organizations also started demanding that users change their password frequently – all these restrictions were meant to reduce the chance that the password will be hacked.
But all these steps were of no avail. Studies have shown that users will choose passwords that are as easy as possible, and if they are forced to change passwords very often, they will simply recycle passwords from the past that are easy for them to remember. Bottom line – many cyber attacks are still successful because hackers manage to penetrate accounts with guessed or obtained passwords.
Passwords and the cloud
Who uses passwords in the cloud? All of us!
From Gmail accounts to the Netflix accounts, from social accounts (Facebook and Instagram), to shopping apps. We all use passwords to access cloud systems. And precisely because of this these systems suffer from numerous hacks and data leaks.
The new draft of NIST SP 800-63-4, which is welcome update to the guidelines for managing digital identities, is expected to have a significant impact on cloud information systems and their security. A Google study found that more than 80% of cloud hacks were done using stolen credentials (including username and password). This is not surprising because close to half of Americans admitted that their passwords were stolen in the past year. In recent incidents, for example, the hacking of the accounts of the software giant Snowflake) it was discovered that many entities do not cancel the accounts of “older” users (such as those who no longer work for the organization), do not force users to change passwords at all, and that many accounts were protected only by a password. NIST now puts an emphasis on the following:
- Emphasis on multi-factor authentication (MFA): The draft encourages widespread use of multi-factor authentication, and offers detailed guidelines for its implementation. Multi-factor authentication uses what you know (password) but also what you have (mobile device or authentication app) and reduces the chance of someone else logging into your account instead of you.
- Simplifying passwords: In contrast to previous approaches, the new draft reduces the emphasis on complex password complexity requirements (such as a combination of uppercase and lowercase letters, numbers and special characters). Instead, it emphasizes the importance of password length and the use of stronger authenticators. For example – instead of the password “Cloud1234” we can now create the password: “cloudy with a chance of meatballs”. Yes – this is not a mistake, the new policy will allow using spaces between words as part of the password. Another factor to reduce password reuse is offering amore flexible approach to changing passwords, and emphasizes the importance of changing passwords only in case of a suspected security breach.
- Enhancing the security of API interfaces: Since cloud systems rely heavily on API interfaces, the demand for stronger authentication will lead to increasing the security of these interfaces. We’ve noticed that many organizations suffer from APIs keys leak and do not employ sufficient key rotation. Hopefully, the new recommendations will help improve that aspect of API security.
- Synchronous authentication: The draft offers detailed guidelines for synchronous authentication, which is a more secure method of identity verification. Synchronous authentication can be the use of a one-time code -OTP): a code that is randomly generated and sent to the user’s mobile phone), the use of a physical hardware key that generates one-time codes or the use of biometric identification such as a fingerprint, facial recognition or iris scanning.
- Improving identity and access management: The new guidelines will help organizations in the cloud to improve their identity and access management, and ensure that only authorized people have access to information. We strongly recommend improving entitle management and conducting “what/if” simulation to determine proper entitlements.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024