Sergey Nivens - Fotolia


How enterprises can protect against weak cloud passwords

Weak passwords are a common threat to enterprises relying on cloud services. Expert Dejan Lukan reviews some password best practices.

Cloud services have mushroomed in the last couple of years and are becoming widely used by a larger number of individuals and companies. However, the vast number of cloud services and applications brings many passwords to remember in order to connect to and use those cloud services.

Weak cloud passwords

With so many cloud services that can be accessed through some kind of credential, like a password, a PKI key or something else entirely, there are also many opportunities for an attacker to get access to the cloud service. In most cases, cloud services are accessible over the Internet, from anywhere in the world, by providing the correct password. This is why they are a single point of failure; weak cloud passwords can be easily obtained by a hacker to gain access to the cloud service.

To protect against weak passwords, it's important to use the best password security practices when setting or changing the passwords, including:

  • First-time passwords: If the password was first set to a default value by a third party, reset it so it's not stored somewhere in a history or a cache, which reduces the overall security.
  • Shared passwords: When setting the password, choose a password that isn't used anywhere else. By using the same password as another service, an attacker can gain access to both cloud services.
  • Password durability: Presuming the attacker has compromised the password and is able to access the cloud service, it's critical to change the password every 90 days. This practice helps to prevent an attacker from authenticating and stealing any more sensitive information.
  • Minimum password length: The password should be at least eight characters, though longer passwords are usually recommended. To be safe, make up a sentence to use as a password.
  • Password strength: Passwords should use both lowercase and uppercase letters, numbers and special characters. This ensures the attacker has to go through many more combinations when trying to brute force a password.
  • Password history: Keeping and using the historic versions of passwords enables the system to compare the current password with the older passwords and determine whether some are too similar. If they are, the password change should be denied.

The cloud password manager

With so many passwords used and managed in our daily lives, it's practically impossible to remember them all. While able to recall a few, humans are not good at remembering a large array of random passwords. This is why we have to search for an alternative solution, such as a password manager.

Password managers are programs running on a system that keeps all passwords encrypted and stored on the hard drive. Whenever the user wants to obtain the password, he or she has to provide the master key with which all the other passwords are encrypted. This allows the user to get a plaintext version of a password that we can use to log in to the cloud service. Usually, the password is stored in the clipboard, where it can be copy-pasted to the password form's input field.

This is why passwords are a single point of failure; weak passwords can be easily obtained by a hacker to gain access to the cloud service.

There are many password managers for different operating systems used as standalone programs. Some password managers also come in a form of a plug-ins for different Web browsers. Some of the open source password managers include Gpass, KeePass, LastPass, Revelation, Gorilla, KeePassX and Pass.

Pass is one of the most prominent password managers because it doesn't have a graphical user interface (GUI) and has to be used from a command-line. This gives it an edge because it can be easily used on a cloud system -- something that normally doesn't support GUIs.

The Pass password manager is also contained in most Linux package repositories, so it can be easily installed by the default package manager in most distributions. This is why installing and using it is relatively simple. Pass requires a creation of a GNU Privacy Guard key after which passwords can be easily added to its manager's password store.

When a user needs a password to authenticate to a cloud service, the password manger requires the master key. After the user provides the correct master key, the needed password is copied to the system's clipboard, which can be copy-pasted to the cloud service for authentication. Once the user has been authenticated, the password should be removed from the clipboard to protect against malicious malware samples that steal information from system clipboards. Pass will automatically remove the password after 45 seconds so the user doesn't have to worry about doing it manually. This is a necessary feature of any password manager, since it provides an important security measure to additionally protect against insecure password management.

Good cloud security needs strong cloud security passwords

There are many passwords that each person must use and manage on a daily basis. Many of the passwords are used to authenticate cloud services, which makes them quite important to cloud security. In order to protect ourselves properly against insecure passwords, we have to choose strong, long and random passwords, which should be stored in a password manager.

By using a password manager, we can follow the best security guidelines for creating a variety of strong passwords without having to remember them all. A password manager requires a master password that is used to decrypt other passwords in order to authenticate to the cloud service. Therefore, we only need to remember one master password in order to obtain access to the rest of them. By using the password manager, we don't have to remember any of the passwords, but can still enjoy their security benefits.

About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance, as well as security-related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages, and regularly writes security-related articles for
his own website.

Next Steps

Check out this analysis on improving password management tools and learn how to keep credentials safe in the cloud

Learn whether multifactor authentication can keep cloud services safe

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices