Level 2
Description:
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO].
Priority: High
Domain: IDENTIFICATION AND AUTHENTICATION (IA)
Services Associated with AWS:
- AWS Secrets Manager, AWS Key Management Service (KMS)
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Key Vault
- Azure Information Protection
- Azure Security Center
- Azure Sentinel
- Azure Multi-Factor Authentication
- Azure Confidential Computing
- Azure Virtual Machines
- Azure SQL Database
- Azure Storage
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of configuration settings
Possible Technology Considerations:
- Identity & Access Management (IAM)
- Secure Baseline Configurations (SBC)
What needs to be answered:
Are passwords prevented from being stored in reversible encryption form in any company systems? Are passwords stored as one-way hashes constructed from passwords? Does the company follow the best practice of “salting” hashed passwords? Are passwords encrypted in storage and in transmission?
Checks for AWS
- Cryptographic Protection of Passwords
Description: This check ensures that organizations store and transmit passwords in a cryptographically protected manner. Cryptographically protected passwords use techniques such as salted one-way cryptographic hashes to enhance their security. Storing passwords as cryptographic hashes with unique salts makes it computationally difficult to reverse-engineer the original passwords, even if the stored hashes are compromised. Transmitting passwords over networks should also be protected using encryption protocols to prevent interception and unauthorized access.
Checks for Azure
- Prevent Storage of Passwords in Reversible Encryption Form
Description: This check ensures that passwords are not stored in reversible encryption form in any company systems. Storing passwords in reversible encryption form can pose a significant security risk, as it allows for the potential exposure of plaintext passwords if the encryption mechanism is compromised. It is recommended to use one-way cryptographic hashing algorithms to store passwords securely. - Enforce Strong Password Hashing with Salting
Description: This check verifies that strong password hashing techniques with salting are enforced for password storage in Azure systems. Salting involves adding a random and unique value (salt) to each password before hashing it. This adds an extra layer of security by making it computationally difficult to reverse-engineer the original passwords, even if the stored hashes are compromised. - Encrypt Passwords in Storage and Transmission
Description: This check ensures that passwords are encrypted both in storage and during transmission. Passwords should be protected using encryption mechanisms to prevent unauthorized access and interception. This includes encrypting passwords stored in databases or other storage systems and encrypting passwords transmitted over networks, such as during user authentication processes.
More Details: All passwords that are stored are done via encrypted storage methods.