Password rotation refers to the changing/resetting of a password(s). Limiting the lifespan of a password reduces vulnerability to password-based attacks and exploits, by condensing the window of time during which a stolen password may be valid.
The frequency of rotation should vary based on the password age, usage, and security importance. For instance, a password for a standard user account may only require rotation at 60-day intervals, a process that can be forced through password expiration. On the other hand, superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords should be frequently rotated, including after each use—known as one-time-passwords (OTPs)—for an organization’s most sensitive accounts. And, in the case of a known password compromise (such as receiving notice from a third-party that user accounts were affected by a breach), a password connected to the affected account should be immediately changed.
Password rotation should be implemented across every account, system, networked hardware, IoT device, application, service, etc. Passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability.
The Challenges and Risks of Manual Password Rotation
While password rotation is a universally accepted security best practice, in settings heavily dependent on manual password management, frequent password rotation may actually increase the risk of an exploit. How could this be? Today, a person may have dozens, or even over a hundred, personal passwords to manage. In organizations, this number may climb even higher.
In the most simple of environments, a user could rotate credential values in an Excel spreadsheet and then manually log in to the associated accounts and systems, but this is not a scalable practice. Additionally, manual management and rotation of some types of privileged credentials (i.e. hard-coded passwords and keys) will likely prove impossible.
The sheer number of credentials to rotate and manage generally means that, when left to humans, password best practices (such as a password length of 12 or more characters that is nonsensical, non-dictionary-based and that has not been used previously by the user for any work or personal account) are inadequately followed.
As the number of (constantly rotating) passwords to remember rises, employees will be increasingly prone to forget passwords from time-to-time, potentially locking them out of systems. To compensate, they tend to reuse the same passwords for multiple accounts (across both work and personal), select easy-to-guess passwords, or resort to recording passwords on paper or within electronic documents, such as MS Word or spreadsheets. Part of the danger here is that hackers can correlate, along with email addresses and usernames, the password from one compromised account to other services that may be using the same password. So, for instance, using the same credential on a server, application, switch, and social media account means that one compromised account also jeopardizes the other accounts.
Automating Password Management Improves Security
While it’s not humanly possible (at least for most humans) to adhere to best practices in manually creating and changing passwords, password management tools can automate this process.
Password Managers are software applications that can enforce best practices for generating, rotating, and securing passwords (such as by using encryption). Password managers may be cloud or browser-based, or could reside on the desktop. By using a master password/key, the user can prompt the password manager to automatically pull the correct password from a database and authenticate into a system/software via form filling.
While password management automation is gaining ground, most organizations still rely, to some degree, on manual/human password management practices. Consequently, in practice, passwords are inadequately rotated and audited—leaving organizations susceptible to privileged credential exploits.
Personal Password Managers and Enterprise/Privileged Password Managers
Personal password tools manage login information for standard users. These personal password managers generate random passwords secured by a single master password the user needs to remember, and can auto-login the user to the resources they use.
Enterprise password managers/privileged password managers are a specialized subset of password managers used to manage privileged credentials for enterprise privileged accounts (root, admin, etc.), SSH keys, and embedded/hardcoded credentials that are often found in applications. This last use case is especially of security consequence as many IT devices—whether routers, firewalls, IoT, etc., are frequently shipped with embedded and/or default credentials, that need to be managed and regularly rotated—otherwise they can offer attackers easy backdoor access into critical systems.
A privileged password management (PPM) solution can ensure that all of your privileged credentials (thousands to millions) are regularly rotated at intervals set by your policy, which will be influenced by credential type, security importance, and other attributes. Additionally, these enterprise password security solutions you can enable seamless synchronization of password changes in the directory where the account resides with the changes in the system/device/application/service where the password is used, to avoid any downtime.
Enterprise Password Management Explained (white paper)
Enforce Enterprise Password Security (2-min video)
Password Management for Different Teams and Roles (on-demand webinar)