Does AWS store users' passwords without hashing?



  • I just noticed that AWS provides a service that checks your users' passwords for corporate password rule compliance "periodically": https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html

    This makes me afraid that AWS stores encrypted passwords instead of storing hashes of passwords. Is that the case?



  • Checks if the account password policy for IAM users meets the specified requirements indicated in the parameters.

    What is being checked is the account password policy, not the actual passwords of users. It's a periodic check to make sure you're requiring the level of complexity that you want to be requiring. As such, no need for reversible encryption of user passwords.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2