Password rotation refers to the changing/resetting of a password(s). Limiting the lifespan of a password reduces the risk from and effectiveness of password-based attacks and exploits, by condensing the window of time during which a stolen password may be valid.
The frequency of rotation should vary based on the password age, usage, and security importance. For instance, a password for a standard user account may only require rotation at 60-day intervals, a process that can be forced through password expiration. On the other hand, superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords should be frequently rotated, including after each use—known as one-time-passwords, or (OTPs)—for an organization’s most sensitive accounts. And, in the case of a known password compromise (such as receiving notice from a third-party that user accounts were affected by a breach), a password connected to the affected account should be immediately changed.
Password rotation should be implemented across every account, system, networked hardware and IoT device, application, service, etc. Passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to a specific threat or vulnerability.
The Challenges and Risks of Manual Password Rotation
While password rotation is a universally accepted security best practice, in settings heavily dependent on manual password management, frequent password rotation may actually increase the risk of an exploit. How could this be? Today, a person may rely on dozens, or even over one hundred, personal passwords to manage. In organizations, this number may climb even higher. In the most simple of environments, a user could rotate credential values in an Excel spreadsheet and then manually log in to the associated accounts and systems, but this is not a scalable practice. Additionally, manual management and rotation of some types of privileged credentials (i.e. hard-coded passwords and keys) will likely prove impossible.
The sheer number of credentials to rotate generally means that, when left to humans, password best practices (such as a password length of 12 or more characters that is nonsensical, non-dictionary-based, and that has not been used previously by the user for any work or personal account) are inadequately followed. As the number of (constantly rotating) passwords to remember rises, employees will be increasingly prone to forget passwords from time-to-time, potentially locking them out of systems. To compensate, they tend to reuse the same passwords for multiple accounts (across both work and personal), select easy-to-guess passwords, or resort to recording passwords on paper or within electronic documents, such as MS Word or spreadsheets. Part of the danger here is that hackers can correlate, along with email addresses and usernames, the password from one compromised account to other services that may be using the same password. For instance, using the same credential on a server, application, switch, and social media account means that one compromised account also jeopardizes the other accounts.
Improving Password Security Through Automation
While it’s not feasible for most people to adhere to best practices in manually rotating passwords, password management tools can automate this process. Password Managers are software applications that can enforce best practices for generating, rotating, and securing passwords (such as with encryption). Password managers may be cloud or browser-based or could reside on the desktop. By using a master password/key, the user can prompt the password manager to automatically extract the desired password from a database and authenticate into a system/software via form filling.
While password management automation is gaining ground, most organizations still rely, to some degree, on manual/human password management practices. Consequently, in practice, passwords are inadequately rotated—leaving organizations susceptible to credential-based exploits.
Personal Password Managers and Enterprise/Privileged Password Managers
Personal password tools manage login information for standard users. These personal password managers generate random passwords secured by a single master password the user must remember and can auto-login the user to the desired resources.
Enterprise Password Managers/Privileged Password Managers are a specialized subset of password managers used to manage privileged credentials for enterprise privileged accounts (root, admin, etc.), SSH keys, and embedded/hardcoded credentials that are often found in applications. This latter use case is of increasing security consequence as many IT devices—whether routers, firewalls, IoT, etc., are frequently shipped with embedded and/or default credentials that need to be managed and regularly rotated—otherwise they can offer attackers easy backdoor access into critical systems.
A privileged password manager can ensure all of an organization’s privileged credentials (thousands to millions) are regularly rotated at intervals set by your policy, which will be influenced by credential type, security importance, and other attributes. Privileged password management solutions can also enable seamless synchronization of password changes in the directory where the account resides with the changes in the system/device/application/service where the password is used, to avoid any downtime.
Want to learn how to automate rotation and other best-practices security for your privileged credentials? Contact us today.
Privileged Password Management Explained (white paper)
Enforce Enterprise Password Security (2-min video)
Matt Miller, Director, Content Marketing
Matt Miller is Director, Content Marketing at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cyber security and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.