Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO]. 

Priority: High   

Category: Baseline Security Configurations 

Services Associated with AWS:   

  • AWS Secrets Manager, AWS Key Management Service (KMS) 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings 

Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered :  

Are passwords prevented from being stored in reversible encryption form in any company systems? Are passwords stored as one-way hashes constructed from passwords? Does the company follow the best practice of “salting” hashed passwords? Are passwords encrypted in storage and in transmission? 

  • Cryptographic Protection of Passwords
    Description: This check ensures that organizations store and transmit passwords in a cryptographically protected manner. Cryptographically protected passwords use techniques such as salted one-way cryptographic hashes to enhance their security. Storing passwords as cryptographic hashes with unique salts makes it computationally difficult to reverse-engineer the original passwords, even if the stored hashes are compromised. Transmitting passwords over networks should also be protected using encryption protocols to prevent interception and unauthorized access.

More Details:   

All passwords that are stored are done via encrypted storage methods.