The Sad State of Password Security in the Cloud

People are the weakest link when it comes to security. The cloud computing revolution brings new life to this age-old vulnerability. Cloud application users are exposed to many new attack vectors, but the security model designed to protect them is out of date. On top of that fundamental weakness many cloud applications have significant design and implementation flaws because user authentication and identity management seems deceptively simple: you identify a user based on a unique ID and you confirm the identity based on a secret password.

A lot has been written about passwords in general and about the weaknesses in many high profile Internet and cloud applications. The security compromises of Evernote, LinkedIn, Sony, Yahoo, Linode, eHarmony, Last.fm, Zappos, Nvidia, Gawker, Billabong, Android Forums, and Ubuntu Forums in the recent years bring new light to a very old problem: People choose weak passwords. They do it because it's easy and because they can. Discussions in the technical community tend to focus on the easy problems: using more appropriate hashing algorithms, using salts for password hashing, etc. Of course, keeping the password hashes safe and using slow hashing algorithms (with random salt values) is important. It would protect a lot