What is Password Rotation?

Password Rotation refers to the changing/resetting of a password(s). Limiting the lifespan of a password reduces vulnerability to password-based attacks and exploits, by condensing the window of time during which a stolen password may be valid.

When Should Password Rotation Happen?

While password rotation was once considered a security best practices across all types of account, in recent years, that guidance has been narrowed to only privileged passwords. Now, NIST advises not to use a mandatory policy of password changes for personal passwords (this updated guidance doesn't apply to privileged credentials). One reason for this updated guidance is is that users tend to just repeat passwords they had used before. While organizations can implement strategies to prevent password re-use, users often find ways to bypass them. Because of this and other factors, NIST now recommends to ask employees for password change only in response of potential threat or compromise.

However, password rotation remains a best practices for privileged passwords, which can range from traditional privileged user passwords to SSH keys and more. The frequency of rotation should vary based on the password age, usage, and security importance. Superuser accounts (e.g., root, domain admin, etc.) and other highly privileged passwords should be frequently rotated, including after each use—known as one-time-passwords (OTPs)—for an organization’s most sensitive accounts. And, in the case of a known password compromise (such as receiving notice from a third-party that user accounts were affected by a breach), a password connected to the affected account should be immediately changed.

Password rotation should be implemented across every privileged account, system, networked hardware, IoT device, application, service, etc. Passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability.

The Challenges and Risks of Manual Password Rotation

In settings heavily dependent on manual password management, frequent password rotation may actually increase the risk of an exploit. How could this be? Today, a person may have dozens, or even over a hundred, personal passwords to manage. In organizations, this number may climb even higher.

In the most simple of environments, a user could rotate credential values in an Excel spreadsheet and then manually log in to the associated accounts and systems, but this is not a scalable practice. Additionally, manual management and rotation of some types of privileged credentials (i.e. hard-coded passwords and keys) will likely prove impossible.

The sheer number of credentials to rotate and manage generally means that, when left to humans, password best practices (such as a password length of 12 or more characters that is nonsensical, non-dictionary-based and that has not been used previously by the user for any work or personal account) are inadequately followed.

As the number of (constantly rotating) passwords to remember rises, employees will be increasingly prone to forget passwords from time-to-time, potentially locking them out of systems. To compensate, they tend to reuse the same passwords for multiple accounts (across both work and personal), select easy-to-guess passwords, or resort to recording passwords on paper or within electronic documents, such as MS Word or spreadsheets. Part of the danger here is that hackers can correlate, along with email addresses and usernames, the password from one compromised account to other services that may be using the same password. So, for instance, using the same credential on a server, application, switch, and social media account means that one compromised account also jeopardizes the other accounts.

Automating Password Management Improves Security

While it’s not humanly possible (at least for most humans) to adhere to best practices in manually creating and changing passwords, password management tools can automate this process.

Password Managers are software applications that can enforce best practices for generating, rotating, and securing passwords (such as by using encryption). Password managers may be cloud or browser-based, or could reside on the desktop. By using a master password/key, the user can prompt the password manager to automatically pull the correct password from a database and authenticate into a system/software via form filling.

While password management automation is not considered a best practice, many organizations still rely, to some degree, on manual/human password management practices. Consequently, in practice, passwords are inadequately rotated and audited—leaving organizations susceptible to privileged credential exploits. This may partly be due to the proliferation of new types of accounts and identities, which some legacy password management solutions may be unable to manage.

Personal Password Managers and Enterprise/Privileged Password Managers

Personal password tools manage login information for standard users. These personal password managers generate random passwords secured by a single master password the user needs to remember, and can auto-login the user to the resources they use.

Enterprise password managers/privileged password managers are a specialized subset of password managers used to manage privileged credentials for enterprise privileged accounts (root, admin, etc.), SSH keys, and embedded/hardcoded credentials that are often found in applications. This last use case is especially of security consequence as many IT devices—whether routers, firewalls, IoT, etc., are frequently shipped with embedded and/or default credentials, that need to be managed and regularly rotated—otherwise they can offer attackers easy backdoor access into critical systems.

A privileged password management (PPM) solution can ensure that all of your privileged credentials (thousands to millions) are regularly rotated at intervals set by your policy, which will be influenced by credential type, security importance, and other attributes. Additionally, these enterprise password security solutions you can enable seamless synchronization of password changes in the directory where the account resides with the changes in the system/device/application/service where the password is used, to avoid any downtime. The most comprehensive of these solutions can also manage DevOps secrets, workforce passwords (used by employees to access applications), and more. In addition, these products are often paired or integrated with session management capabilities, for oversight and auditing of privileged activity. This combined solution is known as Privileged Account & Session Management (PASM).

Learn More About Password Security Best Practices

Want to learn why over 20,000 customers chose BeyondTrust?
Prefers reduced motion setting detected. Animations will now be reduced as a result.