Improving Password Security on Amazon Cognito with Password Reuse Prevention
How to prevent use of previous passwords in Amazon Cognito user pool
Vishal Jakharia
Amazon Employee
Published Aug 6, 2024
It is essential for an organization to follow a strong password policy where they have a requirement to prevent users from reusing previous passwords. To align with an organization’s security requirements, it is important for developers to follow the same password policy while storing identity information in Amazon Cognito.
Password reuse is a common habit that poses a significant risk to your customers' online security and privacy. Using the same or similar passwords across multiple websites and accounts can expose your customers to potential vulnerabilities, such as account takeover attacks. It's important to advise your customers to adopt strong, unique passwords for each of their accounts in order to effectively safeguard their personal information and data.
There are high chances of account takeover if you are reusing the same password. Password reuse amplifies the possibility of turning a single security incident into a potential gateway for multiple points of unauthorized access. If the same password is used across multiple platforms, attackers can exploit this vulnerability to gain widespread access.
To address this risk, AWS recently introduced a new capability to Cognito’s advanced security features that stores a user’s password history and prevents them from reusing previous passwords. Application developers can now configure their Cognito user pool to prevent users from reusing a specified number of their previous passwords. This helps ensure users do not attempt to reset their password to a previously used one. Developers can configure this password history restriction to cover up to the last 24 passwords used.
This feature prevents users from setting previously-used passwords and hence lowers the chance of security breach by exposing them to hackers, phishing, and identity theft.
How Cognito Advance Security Feature Solves This Challenge
- By setting password policy:
- Below is the password policy that you can setup with amazon Cognito.
- Password minimum length
- Password complexity rules
- Prevent reuse of previous passwords (New feature).
- Compromised credential database: Advance security feature includes the compromised credential DB. Cognito maintains a proprietary store of usernames and passwords that have been compromised. Every time a user signs up, signs in, and changes their password, Cognito can check if a compromised credential is in use and force the user to change their password.
Note: Currently, Amazon Cognito doesn't check for compromised credentials for sign-in operations with Secure Remote Password (SRP) flow. SRP sends a hashed proof of password during sign-in. Amazon Cognito doesn't have access to passwords internally, so it can only evaluate a password that your client passes to it in plaintext.
- Activate advanced security features.
- In the Sign-in experience tab of your user pool, locate Password policy and select Edit.
- Configure other available options and set a value for Prevent use of previous passwords.
- Choose Save changes.
The Password Reuse Prevention feature in Amazon Cognito advanced security features adds the capability to prevent reuse of previously used passwords. This helps reduce the risk of account takeover and raises the security posture of your application.
Try out the new feature and share your feedback on community.aws!
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.