I’m Mark Potter, the Chief Information Security Officer (CISO) at Backblaze. Today, I’m sharing some planned upcoming changes to our password requirements designed to enhance customer account security.
Here’s your TL;DR:
- We’re implementing a 15 character minimum requirement for passwords. New accounts, as well as any changed or reset passwords, will need to be a minimum length of 15 characters.
- Later this year, we will be requiring multifactor authentication (MFA) for all accounts. We strongly recommend that you enable MFA now.
A little background about cyber attacks, and how they affect public cloud providers
All public cloud providers are subjected to a range of ongoing cyberattacks including attempts by cybercriminals seeking to break into customer accounts. Bad actors use a variety of tactics including credential stuffing, which is where they will use email addresses and passwords found in public breach databases, in telegram combolists, purchased on the dark web, or through other sources.
They will also attempt to use those same email addresses combined with commonly used/weak password lists to try to gain access to accounts. When this approach is used across multiple accounts, it is referred to as a password spray attack.
These are just two of many types of attacks bad actors use, and as a result, organizations like National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), and others create and update security guidelines and best practices to help keep information safe.
What does this look like to a cloud provider?
As an infrastructure provider, we have monitoring controls in place to help augment platform security. For example, we recently observed an increase in rate-limited credential stuffing and password spray attacks targeting email addresses where the majority did not have associated Backblaze accounts, as well as attempts using email addresses associated with Backblaze customer accounts. We also noticed a surge in credential stuffing activity around the time haveibeenpwned posted an article about the ALIEN TXTBASE Stealer Logs in late February.
The recent attacks we observed originated from a broad range of rotating IP addresses associated with networks in the U.S. and around the globe, which is a common tactic. Attackers will also often hide behind a proxy or virtual private network (VPN), and change their IP address frequently in an attempt to bypass rate limiting controls implemented by cloud providers.
In these types of attacks, the focus is on attempting to guess credentials, rather than try to find a vulnerability on the platform itself. It’s the equivalent of an autodialer for the internet. Much like all those spam calls you get, cyber attackers are trying combinations of known emails and passwords (the internet equivalent of your phone number) to see if they can get access to your account (or get you to pick up the phone, metaphorically speaking).
What’s changing?
In line with current best practices, we have recently upgraded our password controls so that passwords for new accounts, as well as any changed or reset passwords, will need to be a minimum length of 15 characters. This is consistent with NIST recommendations.
We encourage customers to change their passwords now if they are shorter than 15 characters. This will not impact customers that have implemented SSO.
We have also added a password strength meter to applicable forms, and implemented checks with an external service to attempt to determine whether the selected password is weak, or is one commonly used by cybercriminals as part of password spray attacks. We also check to see if the email address and password provided have been listed in public breach databases, telegram combolists, or other sources via an external provider to attempt to protect customers from credential stuffing attacks.
Later this year, we will be rolling out a mandatory MFA requirement. This requirement is being enforced by most of the major cloud providers. An email-based MFA will be enforced if customers do not currently have MFA enabled on their account. We encourage customers to select the MFA they would prefer to use ahead of the mandatory MFA date, if they would prefer to use a method other than email.
Please see our Docs article on how to enable MFA, and feel free to reach out in the blog comments below or to our Support team if you have any questions.
