Description:
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO].
Priority: High
Category: Baseline Security Configurations
Services Associated with AWS:
- AWS Secrets Manager, AWS Key Management Service (KMS)
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of configuration settings
Possible Technology Considerations :
- Identity & Access Management (IAM)
- Secure Baseline Configurations (SBC)
What needs to be answered :
Are passwords prevented from being stored in reversible encryption form in any company systems? Are passwords stored as one-way hashes constructed from passwords? Does the company follow the best practice of “salting” hashed passwords? Are passwords encrypted in storage and in transmission?
- Cryptographic Protection of Passwords
Description: This check ensures that organizations store and transmit passwords in a cryptographically protected manner. Cryptographically protected passwords use techniques such as salted one-way cryptographic hashes to enhance their security. Storing passwords as cryptographic hashes with unique salts makes it computationally difficult to reverse-engineer the original passwords, even if the stored hashes are compromised. Transmitting passwords over networks should also be protected using encryption protocols to prevent interception and unauthorized access.
More Details:
All passwords that are stored are done via encrypted storage methods.