Password Rotation

Why password rotation is a need of the hour?

So what is meant by password rotation?

Rotating passwords is to change or reset an existing password(s). By condensing the window of time during which a stolen password may be valid and by setting a limit to the lifespan of a password reduces the risk of password-based attacks. According to the age and importance of the password, password rotation frequency should vary.

It may only be necessary to change a password for a standard user account every 60-80 days, which can be made mandatory by password expiration. Additionally, for an organization’s most sensitive accounts, one-time passwords (OTPs) should be used and also for privileged accounts (e.g., root, domain admin, etc.). Additionally, if a password is known to have been compromised (for example, if a third-party notified you that your login credentials had been compromised), you should change the password immediately.

Why to implement password rotation?

Now that we know what exactly password rotation means, the very question which arises in our mind that why one should implement password rotation, what’s the need to do it? By considering a scenario we will give you the reason to implement password rotation on every system of yours!

It is a common habit of majority of people to create same password for both professional as well as personal lives. That is to say, consider an IT man working in an IT firm and he created some xyz password for a software service used by the company in which he works. As he has to work on that software regularly, most probably he will choose a password that is easy to remember for him. Fair enough! Now, there are greater chances that he will select nearly same password for his personal google accounts or any other account which has nothing to do with the company in which he works. By this he doesn’t need to remember dozens of passwords, right? Its predictable that he will do so as it makes his life easy.  But the problem arises when any of his personal account’s password is compromised then the IT company in which he works has to suffer directly or indirectly. The cyber-attackers can now easily penetrate into the company’s software given that they have this stolen password with them.

People use more and more sites personally and a greater number of them are getting hacked. Increasingly, we face a risk of one organization’s duplicate password being used without permission to compromise another organization’s security. Nowadays credentials of even the supposedly secure sites of major businesses are stolen and used elsewhere. Using password rotation in your organization has this secret benefit: you will prevent your employees from using the same passwords in all areas of their lives.

It is no longer possible to access critical IT resources through your employee’s Facebook login. This is good news for IT admins.!

Some additional advantages of password rotation:

Throughout any organization, the number of employees is never the same, but is always changing. There will be some employees leaving the company and new ones will replace them. If you force password changes, you can prevent former employees from still having access to company systems. This is more problematic for teams with multiple users sharing the same account. Although password sharing is not recommended, it is often the case. In some cases, the credentials are shared with the other team members to prevent problems that arise when one member is away for some reason. A more secure solution is either to assign every employee their own account to a system or to use a system that generates and logs passwords automatically via PAM (Privileged Access Management).

A Successful Breach Can Be Minimized. Security and protection of shadow password files (Linux) and SPAM files (Windows) containing user credentials are usually very well managed by IT admins. Backups, though common and necessary in today’s business landscape, make backup security more relaxed, particularly when older backups are being used.  A cyber attacker can gain access to user usernames and passwords if an attacker breaches one of these older backups. Computing power is increasing so quickly that it is now much easier and quicker to crack cryptographic algorithms used to protect these credentials. As a result of forced password rotations, no two passwords will be the same, so an attacker will only be able to see usernames, substantially reducing the impact of a breach.

How to implement password rotations?

By now you might have made up your mind to implement password rotation in order to secure your organization from any kind of possible breaches.  There are two possible ways in which you can implement password rotation. It can be done manually as well as automatically. Though we will look at both the ways, automatic password rotation is recommended.

Although password rotation is a security practice that is accepted by huge number of people all around, frequent password rotation actually increases the risk of an exploit in instances where manual password management is heavily used. Are you wondering, exactly how could this be possible? Don’t worry we will put it simple as follows.

Manually rotating passwords:

There are dozens, if not hundreds, of personal passwords that an individual may have to manage today. Even higher numbers may be found in organizations. Using an Excel spreadsheet to rotate credential values and then manually logging into systems is a solution that works for simplified cases, but it’s not a good practice. Furthermore, it is unlikely that some types of hardcoded passwords will be able to be managed manually. When employees are required to remember a large number of (constantly changing) passwords, they have a greater chance of forgetting their passwords, potentially disabling them. In order to compensate, they often use the same passwords for multiple accounts, choose easily guessable passwords, or record their passwords in paper or electronic documents, like Microsoft Word or Google Spreadsheet. Danger lies in the fact that hackers can correlate not only email addresses and usernames, but also passwords of compromised accounts to other services that might share the same password. So, for example, using the same credentials on a server, application, software service and social media account means all of those accounts are at risk if one is compromised.

Automated Password Rotation:

Managing passwords automatically enhances security. Typically (for most humans), it’s not feasible to manually create and change passwords following best practices. This can, however, be automated with password management tools. Using a password manager, you can ensure that passwords are generated, rotated, and secured (e.g., via encryption). It is possible to use a cloud-based password manager, a browser-based password manager, or a desktop password manager. In order to use a password manager, a user must use an account that serves a master password/key that allows the system to automatically retrieve the correct password from a database and authenticate into the system/software. Although more organizations are automating password management, many rely on manual/human password management practices. Consequently, organizations are unable to continuously rotate and audit passwords, leaving them vulnerable to privileged credential exploits.

Its clear that automated password rotation can protect you in this digital era where cyber breaches has increased and reached the new heights. So, today if you want to go for password manager tools available out there then there are two types of password manager present in the market. Personal password manager and enterprise password manager.

Which password managers to use: Personal or Enterprise?

Standard users can manage their passwords using personal password tools. By generating random passwords contained within a single master password, these personal password managers allow the user’s accounts to be automatically logged into the applications or sites they use. Privilege password managers cover a specialized subset of password managers that contains password managers meant to manage passwords for enterprise privileged accounts (root, admin, etc. ). Various IT devices ship with embedded and/or default credentials, which require monitoring and rotation otherwise attackers can easily gain access to critical systems. With privileged password management (PPM), all the privileged credentials (thousands or millions) used at your organization will be rotated at intervals determined by your policy, depending on whether the credential is high-value, low-value, or something in between. In addition, these enterprise password security solutions can synchronize password changes made in the directory within which the account resides with those made in the system, device, application, or service utilizing the password, so that no downtime is experienced.

Leave a Comment

Your email address will not be published.