Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

What is Password Rotation and Why is It Needed?

April 5, 2018

  • Blog
  • Archive

Password rotation refers to the changing/resetting of a password(s). Limiting the lifespan of a password reduces the risk from and effectiveness of password-based attacks and exploits, by condensing the window of time during which a stolen password may be valid.

The frequency of rotation should vary based on the password age, usage, and security importance. For instance, a password for a standard user account may only require rotation at 60-day intervals, a process that can be forced through password expiration. On the other hand, superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords should be frequently rotated, including after each use—known as one-time-passwords, or (OTPs)—for an organization’s most sensitive accounts. And, in the case of a known password compromise (such as receiving notice from a third-party that user accounts were affected by a breach), a password connected to the affected account should be immediately changed.

Password rotation should be implemented across every account, system, networked hardware and IoT device, application, service, etc. Passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to a specific threat or vulnerability.

The Challenges and Risks of Manual Password Rotation

While password rotation is a universally accepted security best practice, in settings heavily dependent on manual password management, frequent password rotation may actually increase the risk of an exploit. How could this be? Today, a person may rely on dozens, or even over one hundred, personal passwords to manage. In organizations, this number may climb even higher. In the most simple of environments, a user could rotate credential values in an Excel spreadsheet and then manually log in to the associated accounts and systems, but this is not a scalable practice. Additionally, manual management and rotation of some types of privileged credentials (i.e. hard-coded passwords and keys) will likely prove impossible.

The sheer number of credentials to rotate generally means that, when left to humans, password best practices (such as a password length of 12 or more characters that is nonsensical, non-dictionary-based, and that has not been used previously by the user for any work or personal account) are inadequately followed. As the number of (constantly rotating) passwords to remember rises, employees will be increasingly prone to forget passwords from time-to-time, potentially locking them out of systems. To compensate, they tend to reuse the same passwords for multiple accounts (across both work and personal), select easy-to-guess passwords, or resort to recording passwords on paper or within electronic documents, such as MS Word or spreadsheets. Part of the danger here is that hackers can correlate, along with email addresses and usernames, the password from one compromised account to other services that may be using the same password. For instance, using the same credential on a server, application, switch, and social media account means that one compromised account also jeopardizes the other accounts.

Improving Password Security Through Automation

While it’s not feasible for most people to adhere to best practices in manually rotating passwords, password management tools can automate this process. Password Managers are software applications that can enforce best practices for generating, rotating, and securing passwords (such as with encryption). Password managers may be cloud or browser-based or could reside on the desktop. By using a master password/key, the user can prompt the password manager to automatically extract the desired password from a database and authenticate into a system/software via form filling.

While password management automation is gaining ground, most organizations still rely, to some degree, on manual/human password management practices. Consequently, in practice, passwords are inadequately rotated—leaving organizations susceptible to credential-based exploits.

Personal Password Managers and Enterprise/Privileged Password Managers

Personal password tools manage login information for standard users. These personal password managers generate random passwords secured by a single master password the user must remember and can auto-login the user to the desired resources.

Enterprise Password Managers/Privileged Password Managers are a specialized subset of password managers used to manage privileged credentials for enterprise privileged accounts (root, admin, etc.), SSH keys, and embedded/hardcoded credentials that are often found in applications. This latter use case is of increasing security consequence as many IT devices—whether routers, firewalls, IoT, etc., are frequently shipped with embedded and/or default credentials that need to be managed and regularly rotated—otherwise they can offer attackers easy backdoor access into critical systems.

A privileged password manager can ensure all of an organization’s privileged credentials (thousands to millions) are regularly rotated at intervals set by your policy, which will be influenced by credential type, security importance, and other attributes. Privileged password management solutions can also enable seamless synchronization of password changes in the directory where the account resides with the changes in the system/device/application/service where the password is used, to avoid any downtime.

Want to learn how to automate rotation and other best-practices security for your privileged credentials? Contact us today.

Related Resources

Privileged Password Management Explained (white paper)

Enforce Enterprise Password Security (2-min video)

Stopping Lateral Movement: Why Privileged Password Management Should Be the Center of Your IT Security Strategy (on-demand webinar)

The Little Password That Could: How a Reused Password Could Vaporize Your Enterprise (on-demand webinar)

Photograph of Matt Miller

Matt Miller, Senior Content Marketing Manager, BeyondTrust

Matt Miller is a Senior Content Marketing Manager at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cyber security and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

The Guide to Multicloud Privilege Management

Webcasts

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.