The headline of an Ars Technica article on password rotation recently caught my attention, “Frequent Password Changes are the Enemy of Security.” The article, which highlights a BSides Las Vegas keynote by FTC Chief Technologist Lorrie Cranor, explains that contrary to what we’ve been told for years, frequent password changes can be counterproductive.
Citing research from both University of North Carolina at Chapel Hill and Carleton University, Cranor noted that people who are compelled to change their passwords regularly – typically every 90 days – tend to simply update their old password in a very small way, like adding quotation marks or an exclamation point at the end. This practice, called “transformation,” results in passwords that are very easily cracked by attackers. In short, she argues that such password changes are a waste of the employees’ time and the changes do not make an organization more secure.
She’s right – frequent password changes executed by individual users are often exercises in futility for the reasons noted above, but that doesn’t mean that passwords shouldn’t be rotated. It means that organizations must get smarter about how the process is managed – this is particularly important when it comes to privileged accounts that provide access to sensitive data and critical systems. Without controls in place to proactively secure and manage these privileged accounts and credentials, organizations can face an increased risk of data breaches, insider threats, irreparable system damage, failed audits and fines.
Instead of leaving the management of privileged passwords with IT administrators, organizations should consider a privileged account security solution that can automate the process – discovering, securing, rotating and controlling access to privileged account passwords used to access systems across their enterprise IT environment.
Consider this example, a global financial services provider with nearly 60,000 employees worldwide wanted to remove the physical labor of managing highly privileged passwords manually, while simultaneously augmenting its operational efficiency. They deployed the CyberArk Enterprise Password Vault. Not only did this eliminate a window of opportunity for passwords to be compromised – by accident or otherwise – and it also helped the bank to meet stricter audit requirements. Furthermore, the company can now enforce an enterprise-wide policy, managing the entire lifecycle of shared and privileged accounts across the business. To learn more about CyberArk customer deployments, refer to the case studies available on our website.
Returning to the headline that caught my eye, let’s add four critical words to the end: “Frequent Password Changes are the Enemy of Security Without Proper Password Management.”