The National Institute of Standards and Technology (NIST) has recently updated its guidelines on password rotation, advising against the once-standard practice of requiring users to change their passwords every 30, 60 or 90 days – unless an organization has experienced a data breach. This marks a significant shift from traditional cybersecurity policies that aimed to prevent breaches through frequent password changes. However, NIST’s new stance may seem at odds with the real-world needs of organizations focused on reducing security risks.
Understanding password rotation
Password rotation refers to the practice of regularly changing passwords to minimize the risk of unauthorized access to sensitive information. There are two primary types of password rotation: manual and automatic.
Manual password rotation requires users to update their passwords at set intervals, while automatic password rotation relies on technology to generate passwords and replace them without user intervention.
While manual password rotation has been common practice, it often has the unintended effect of leading to weak passwords and user frustration. In contrast, automated password rotation enhances security by regularly generating strong and unique passwords without the user burden of having to generate or remember them.
NIST’s shift away from frequent manual rotation
NIST’s latest guidance discourages enforcing mandatory password changes every 30, 60 or 90 days unless there is evidence of a breach. This change stems from the realization that frequent mandatory password updates can lead to poor user behavior, such as creating weak or easily guessed passwords for convenience.
For example, when required to change passwords frequently, users may make only minor adjustments to an old password – like changing “Password1” to “Password2” – which weakens security and makes it easier for attackers to guess credentials using techniques like credential stuffing or brute force attacks. Those passwords are also frequently reused across multiple accounts.
NIST’s updated guidance recognizes that the effectiveness of frequent password changes is limited unless there is specific evidence of compromised credentials. Rather than focusing on how often passwords should change, NIST now emphasizes the use of strong passwords and Multi-Factor Authentication (MFA) as more effective means of enhancing security.
Why password rotation still matters
Despite NIST’s recommendation to reduce mandatory password rotation, it remains relevant in certain contexts – particularly for privileged accounts that hold access to sensitive systems and data. Rotating passwords can effectively limit exposure if credentials are compromised. Automated password rotation is essential because it:
- Prevents unauthorized access: Using the same password for extended periods increases the risk of a cybercriminal cracking it. Regularly changing passwords for sensitive accounts limits the time attackers have to exploit compromised credentials.
- Limits exposure time: Frequent password rotation reduces how long a stolen or compromised password can be used to damage, alter or steal data. For example, if an HR employee’s password is compromised, regular updates can minimize risk.
- Reduces the risk of password reuse: Manual password rotation often leads to users recycling or reusing variations of the same password. Automated systems mitigate this by generating strong, unique passwords, preventing users from adopting poor habits.
Additionally, password rotation is a critical measure for organizations that have shared accounts or use contractors, and for securing accounts when offboarding employees.
The challenge of manual password rotation
While password rotation is still relevant, not all methods are created equal. Manual password rotation presents challenges, such as user fatigue, weak password creation and reduced productivity. Users may struggle to generate and remember new, strong passwords, opting instead for easily memorable patterns or predictable variations of old passwords, which makes accounts vulnerable to attacks.
Additionally, enforcing manual password rotation disrupts workflows. Employees may waste time trying to recall or reset forgotten passwords, detracting from their primary work duties. Frequent changes without automated systems can lead to more frustration than security.
Balancing security and usability with automated password rotation
Automated password rotation addresses the shortcomings of manual password changes while maintaining high levels of security. Organizations can benefit from:
- Reduced user burden: Automated systems eliminate the need for users to remember or create new passwords. By generating and replacing passwords automatically, employees can focus on their work without interruptions.
- Stronger password practices: Automated systems ensure that new passwords meet complexity requirements, reducing the chances of successful brute force or credential stuffing attacks.
- Enhanced security for privileged accounts: Privileged accounts benefit the most from automated password rotation, as regular updates limit exposure time and ensure even insiders cannot exploit static credentials.
- Minimal disruption: Automated password rotation happens behind the scenes, allowing users to continue their work without needing frequent password resets.
Implementing automated password rotation securely
To implement automated password rotation, organizations should consider using a Privileged Access Management (PAM) solution that automates the generation, rotation and secure storage of passwords. This ensures strong passwords are regularly updated and stored in an encrypted vault, accessible only to authorized accounts based on the principle of least privilege to limit exposure.
Embracing a modern approach to password security
NIST’s updated guidelines reflect a more nuanced approach to password security, emphasizing the importance of strong, unique passwords while de-emphasising frequent manual rotation. However, password rotation remains critical for privileged accounts.
Automated password rotation is key to balancing security and usability in today’s complex threat landscape. Organisations should adopt modern PAM solutions to implement strong password practices without burdening users, ensuring sensitive data remains protected while maintaining productivity. By embracing automated password rotation, businesses can stay ahead of cyber threats and protect their most critical systems and information.
We've featured the best business password manager.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro