What Is Password Rotation and How to Do It Correctly?

We've talked about how difficult it is to create a good password policy. Part of the problem lies with the fact that this is not a set-and-forget task. Companies must continuously adapt to the shifts in the online threat landscape, and their password policies should be modified in accordance with the latest trends and changes. Is this happening in reality?

Well, in 2016, the National Institute of Standards and Technology (NIST), a non-regulatory agency that is a part of the US Government, advised companies not to force their employees to change their passwords every few months. This was the exact opposite of what businesses had been advised previously, but NIST said that there was plentiful evidence that the mandatory password change is adversely affecting people's online security. Many experts applauded NIST's advisory and continue to support it, but despite this, even now, close to four years later, some organizations still force their employees to regularly change their passwords.

Frequent password changes lead to password rotation

The main problem with forcing people to change their passwords frequently is that the stress you put on them leads to mistakes that could have serious consequences for their online security. You all know how difficult creating a strong password is, and you can only imagine how tough it could be if you need to do it on a regular basis.

Because it's such a burden, people who need to change their passwords often opt to save themselves the trouble and make simple modifications to their existing passwords (e.g., swapping "password1" for "password2"). Another strategy people have adopted is to create a limited list of three or four passwords that they periodically rotate.

Security experts can list multiple reasons why password rotation is a bad idea. The user usually tries to memorize the three or four passwords, and as a result, the credentials aren't very strong. Another problem comes from the fact that every now and again, the passwords become valid. In theory, if a hacker has one of the passwords you rotate, they can periodically test it against your account, and eventually, they will get the timing right and will break in successfully.

The overall case against periodic password changes stems from the fact that cybercriminals don't wait for you to change your password before they try to compromise your account, but the repetitive nature with which the credentials are switched in a password rotation scenario makes people who pick this strategy especially vulnerable. Unfortunately, as we mentioned already, sometimes, the other options are limited.

What can you do if password rotation is the only option?

Some organizations still enforce regular password changes, which means that password rotation is very much alive and kicking. Worse still, there are companies that don't allow the use of a password manager, which can eliminate the need to rotate passwords completely.

If you have little other choice than to rotate a list of passwords, you can at least try to mitigate the risks as much as possible. Use a wide variety of characters and make the passwords as random-looking as possible. By creating a larger number of passwords, you are further limiting the chances of a successful compromise, but you must make sure that they are substantially different from one another. Last but not least, contact the person in charge of creating the password policy in your company and tell them that their ideas of a secure framework are woefully outdated.