Security

The ugly state of password security in the cloud

Above: Password

Image Credit: Africa Studio/Shutterstock

Kyle Quest is CTO and cofounder of CloudImmunity

When it comes to information security, the harsh reality is that end users are often the weakest link in the chain. It’s no surprise then that end users are often the first point of call to be exploited by attackers. The cloud and SaaS applications are great targets for these attacks because those applications have to deal with password-based user identities and because they are accessible from anywhere in the world –a benefit for developing economies with a high-skill and low-cost workforce that can be used for nefarious purposes.

A lot has been written about passwords in general and about the weaknesses in many high profile Internet and cloud applications. The security compromises of Evernote, LinkedIn, Sony, Yahoo, Linode, eHarmony, Last.fm, Zappos, Nvidia, Gawker, Billabong, Android Forums, and Ubuntu Forums in the recent years bring new light to a very old problem: People choose weak passwords (because it’s easy and because they can). Discussions in the technical community tend to focus on the easy problems: using more appropriate hashing algorithms, using salts for password hashing, etc. Of course, keeping the password hashes safe and using slow hashing algorithms (with random salt values) is important. It would protect a lot of relatively strong passwords that can’t be cracked using online brute-forcing attacks from being cracked by using offline brute-forcing attacks.  However, secure password storage and proper password hashing are only one side of the problem. Even if the apps are not compromised, their users are still in danger.


You can hear Kyle Quest speak and attend our Cloud Security session at VentureBeat’s CloudBeat conference in San Francisco, Sept. 9-Sept. 10 in San Francisco. We will be tackling revolutionary cases of enterprise cloud usage and exploring some of the hottest cloud trends and technologies. Register today!


It’s all because they don’t do a good job helping their users pick safe passwords. When users pick “password” or “123456,” it doesn’t matter how secure the password storage and password hashing are because attackers will guess these passwords in no time. It’s common practice for Internet and cloud application vendors to say that users shouldn’t pick weak passwords. But telling people to pick secure and hard-to-guess passwords simply doesn’t work because in many cases people will pick the easiest password their cloud applications allow. The leaked passwords from the recently publicized compromises are great examples of that.

I wanted to see what popular cloud services and applications do when it comes to making sure their users have secure passwords. I reviewed more than 130 cloud and SaaS services and the results were a bit unexpected.

First, let’s take a look at the categories.

* General cloud IaaS/PaaS services – 12
* Other SaaS Services – 12
* BaaS Services – 11
* Cloud Storage Services – 10
* YC companies – 9
* Authentication and Identity Management Services – 7
* Cloud Management and Monitoring Services – 7
* Cloud-based Development Tools and Services – 6
* Social – 6
* Big Data Services – 5
* Other Specialized Cloud PaaS Services – 5
* Payments – 5
* Billing – 4
* Bitcoin – 4
* Cloud Email Services – 4
* API management – 4
* Cloud Database Services – 3
* Security – 3
* Analytics Services – 3
* Voice and SMS Services – 3
* Project Management – 3
* Web Content Caching – 2
* Source Code Management – 2
* Mobile – 2
* Recruiting – 2

A lot of these cloud services target very technical users, and you’d expect these services to be strict with passwords. You’d also expect the security related services and the services dealing with financial information to have the most secure passwords. But the password requirements below show that the majority of the cloud services allow very simple passwords with any characters, and most of those passwords are allowed to be very short. This means that attackers can easily crack many user passwords using simple online password guessing attacks without compromising the cloud applications and gaining access to password hashes.

* 6 character passwords (any characters) – used by 48 services
* 1 character passwords (any characters) – used by 31 services
* 4 character passwords (any characters) – used by 11 services
* 5 character passwords (any characters) – used by 9 services
* 8 character passwords (any characters) – used by 9 services
* 6 character passwords (must have letters and numbers or both lower and uppercase letters) – used by 7 services
* 8 character passwords (at least one uppercase character, one lower case character, one number) – used by 7 services
* 8 character passwords (must have letters and numbers) – used by 3 services
* 6 character passwords (at least two different characters) – used by 2 services
* 7 character passwords (must have letters and numbers or both lower and uppercase letters) – used by 2 services
* 8 character passwords (must have letters, numbers, and a special character @ # $ % ^ & *) – used by 1 service
* 7 character passwords (any characters) – used by 1 service
* 6 character passwords (at least one uppercase character, one lower case character, one number) – used by 1 service
* 9 character passwords (must have letters and numbers or both lower and uppercase letters) – used by 1 service

The research produced a number of interesting questions about the password security practices among the different cloud services. How is it that so many services allow single character passwords? Shouldn’t services dealing with payments and billing information be really strict about their password requirements? Shouldn’t the security and especially the Identity Management and the authentication services do best when it comes to password security?

In most cases, passwords are the “elephant in the room”, an issue that’s commonly overlooked. Sometimes developers are afraid to impact the user experience in a negative way, but a lot of times only a bare minimum is done because security is at the bottom of the developers’ to-do list and the user account implementation often ends up being based on the code samples found on the Internet.

Unfortunately, the security community and the security/compliance standards don’t help that much. Historically, short passwords with random characters have been considered to be the best practice when it comes to password security. This doesn’t work because people can’t create and remember passwords like that. It gets worse when people are forced to change their passwords every three months (and in some cases every month). This means that people pick a really easy-to-guess password creation scheme. The standards and the password security best practices try to enforce the password randomness using primitive password restrictions, which ultimately fails because, in most cases, people pick simple words, changing them just enough to satisfy the restrictions. Attackers use these behaviors as a blueprint for password cracking and brute-forcing, turning the application password policies against the victims.

Everyone accepts we’re moving to a future where individuals and organizations will use a large number of discrete applications and services; we need to start thinking about how the building blocks of applications — among them security and password protection — can best be tailored to deliver the needs of this new world. Ideally, it would be great to replace password-based user identities with something else. Unfortunately passwords are like roaches — they’ll outlive us all. Instead of living in a fantasy or pretending that the problem doesn’t exist and pushing the responsibility for password security on cloud application users, we need correct password security implementations, and we need innovation to make passwords safe and usable.

Kyle Quest is the CTO and co-founder of CloudImmunity, where he’s on the mission to change the world of cloud security and cloud computing in general. His specialties include cloud computing, Big Data, and security. Kyle has been involved in security since 1996 as an attacker, defender, and a security vendor. Prior to CloudImmunity, Kyle built a cloud based enterprise security Big Data platform at CrowdStrike and he was a part of a small group of security experts at Microsoft making Windows 8 secure. As the organizer of the Cloud Hackathon group Kyle is involved in the local cloud computing community where they have fun building interesting things using many different cloud technologies.