The Sad State of Password Security in the Cloud

People are the weakest link when it comes to security. The cloud computing revolution brings new life to this age-old vulnerability. Cloud application users are exposed to many new attack vectors, but the security model designed to protect them is out of date. On top of that fundamental weakness many cloud applications have significant design and implementation flaws because user authentication and identity management seems deceptively simple: you identify a user based on a unique ID and you confirm the identity based on a secret password.

A lot has been written about passwords in general and about the weaknesses in many high profile Internet and cloud applications. The security compromises of Evernote, LinkedIn, Sony, Yahoo, Linode, eHarmony, Last.fm, Zappos, Nvidia, Gawker, Billabong, Android Forums, and Ubuntu Forums in the recent years bring new light to a very old problem: People choose weak passwords. They do it because it's easy and because they can. Discussions in the technical community tend to focus on the easy problems: using more appropriate hashing algorithms, using salts for password hashing, etc. Of course, keeping the password hashes safe and using slow hashing algorithms (with random salt values) is important. It would protect a lot of relatively strong passwords from being cracked by using offline brute-forcing attacks. However, secure password storage and proper password hashing are only one part of the problem. Even if the apps are not compromised, their users are still in danger.

It's all because they don't do a good job helping their users pick safe passwords. When users pick "password" or "123456", it doesn't matter how secure the password storage and password hashing are - because attackers will guess these passwords in no time. It's common practice for Internet and cloud application vendors to say that users shouldn't pick weak passwords. But telling people to pick secure and hard-to-guess passwords simply doesn't work, because in many cases people will pick the easiest password their cloud applications allow. The leaked passwords from the recently publicized compromises are great examples of that.

I wanted to see what popular cloud services and applications do when it comes to making sure their users have secure passwords. I reviewed more than 200 cloud services in several different categories. The results were unexpected and surprising in some of those categories.

Cloud Service Categories (Reset Stats)

Password Requirements

Cloud Service Password Requirements

Category Requirement Services

A lot of these cloud services target very technical users, so you'd expect these services to be strict with passwords. You'd also expect the security related services and those dealing with financial information to have the most secure passwords. But the password requirements below show that the majority of the cloud services allow very simple passwords with any characters. Also, most of those passwords are allowed to be very short. This means that attackers can easily crack many user passwords using simple online password guessing attacks without compromising the cloud applications and gaining access to password hashes.

The research produced a number of interesting questions about the password security practices among the different cloud services. How is it that so many services allow single character passwords? Shouldn't services dealing with payments and billing information be really strict about their password requirements? Shouldn't the security, and especially the Identity Management and the authentication services, do better when it comes to password security?

In most cases, passwords are the "elephant in the room," an issue that's commonly overlooked. Sometimes developers are afraid to impact the user experience in a negative way, but a lot of times only a bare minimum is done because security is at the bottom of the developers' to-do list and the user account implementation often ends up being based on the code samples found on the Internet.

Unfortunately, the security community and the security/compliance standards don't help that much. Historically, short passwords with random characters have been considered to be the best practice when it comes to password security. This doesn’t work because people can't create and remember passwords like that. It gets worse when people are forced to change their passwords every three months (and in some cases every month). This means that people pick a really easy-to-guess password creation scheme. The standards and the password security best practices try to enforce the password randomness using primitive password restrictions; this ultimately fails because, in most cases, people pick simple words, changing them just enough to satisfy the restrictions. Attackers use these behaviors as a blueprint for password cracking and brute forcing, turning the application password policies against the victims.

The world of cloud computing introduces many security challenges, but it also provides new opportunities to redefine security and achieve what hasn't been possible in the past. User security is fundamental to the overall cloud application security and it's long-overdue for innovation. Some people think that getting rid of passwords is the future. Unfortunately passwords are like roaches. It's really hard to get rid of them and there's a reason for that. Just because passwords alone aren't great at protecting users doesn't mean there's no place for them. There's a long road ahead and the first step is to make passwords safe and usable.