What this title really should say is “the cons and cons of frequent manual password rotation”. To be honest, I can’t think of a single good reason why anyone should be subjected to frequent manual password rotations. There is nothing about that concept that screams “Good Idea”.
Now, before you run off let me explain.
Frequent password rotation is a great thing! I would even say, the more often it can be done, the better. What I’m focusing on is the concept of frequent MANUAL password rotation, because I can’t imagine anything good that comes of that. I remember seeing part of a presentation on this subject at the Blackhat conference in 2016—I can’t recall who presented it, so if you do, let us know so we can add their name here as a source of inspiration!
You’ve heard me speak about this, or seen me write about this concept, on a few occasions now; most likely my psychology background kicking it. Humans are fallible, mistake-prone beings! What’s even worse is, we don’t mean to be! We are actually wired this way. We take in so much information on a daily basis, that our brain has to develop shortcuts for us to remember things and to go a step further, our brains are extremely efficient at forgetting. Our brains are experts at forgetting, and it has to be, I mean can you imagine if you remembered every single thing you read, heard, saw, smelled, tasted, and touched?
So we’re good at forgetting, thus we have to come up with shortcuts to remember things. That’s probably why the post-it note became such an office staple, to begin with. The ability to jot down something before you forget it, and post it somewhere to remind you later. What better thing to write down on a post-it note than that pesky password you have to try and remember.
Gone are the days where passwords made up of last names, birthdays, favorite colors and numbers will work anymore. Well… we like to think those days are gone. Now, we have such complex password requirements! There is no way we’ll remember that long string of random characters—so what is there left to do, but to write it down…
But let’s say you did remember that crazy complex password—P@$$w()rd!1 for example. Well, your company policy says that you need to change your password every 30 days. So now what?
We’ve all seen this, many of us have probably done it ourselves… when it’s time to change to a new password, we change that 1 to a 2, and carry on our merry way. Then that’s all we have to remember, that it’s a 2 instead of a 1 now. But what happens if someone compromised that original password without me knowing? Maybe they’ll try a 2 as well! Presto chango—they’re back into my system. 30 more days go by, and I change that 2 to a 3—and the cycle never ends, and the attacker still has access to my passwords.
A LOT of passwords have been compromised in previous data breaches. How likely do you think it is that someone’s “new” password today is nothing more than changing a 1 to a 2?
So it can’t all be bad right? I changed something on you, did you see it? It’s now Frequent AUTOMATIC Password Rotation, and THAT is the key here. Frequent password changes are a great added level of security when it’s done automatically. But why is this the case??
With some sort of password manager, such as a privileged access management solution like Secret Server, your organization can have unique passwords for every single account that are 100 characters long and rotated every single day (if you choose) or every single time they’re even looked at. That makes compromising any account extremely difficult, and even if it is compromised, those credentials will soon be useless.
Automatic password rotation, by a PAM solution, can ensure that your organization can provide access to 3rd party vendors and know exactly what they are doing when they are accessing your systems. Typically, PAM solutions like Secret Server maintain a comprehensive, detailed, audit history, session recordings, and activity logs on what that user did with the account. And again, once that 3rd party vendor checks that account back in, the password is automatically rotated and updated on the target system. So even if they wrote it down on a post-it note and stuck it on their monitor, it’s nothing more than a useless string of 100 random characters.
I touched on this briefly but I want to call it out again. If a password is compromised, depending on the automatic rotation rules and schedules, the password quickly becomes useless. If you had all your passwords breached today, and were released in a large data dump on the “dark web” months later, none of those passwords would be valid anymore. They would have been automatically changed 100 times over. Now, if you had all of your passwords breached, you probably have a much bigger problem on your hands, but you get the picture.
So, in closing? Frequent password rotation is better when it is done automatically. Case closed.
Get answers to your questions about managing enterprise passwords securely.