Password Reuse And Rotation

By Rajat Bhargava Posted April 15, 2018

password reuse and rotation

We have previously written about why you should avoid password reuse. In short, when employees reuse passwords across sites, it increases their company’s chances of getting hacked.

Limited Options in Addressing Password Reuse

There’s not much that IT admins can do to, aside from encouraging password managers, to address this security concern since they have no control over their users’ passwords on personal sites. Nothing can prevent people from reusing their personal passwords as their corporate passwords and vice versa. That’s an issue, because if a site that a user is leveraging in their personal life gets hacked, then that compromises the security of any IT resource to which they have access where they have reused that password.

Perhaps the best way to address password reuse is to utilize multi-factor authentication (MFA) wherever possible. But, it is important to note that MFA is not available everywhere. With that in mind, the second best way to address password reuse is to educate your users. Let them know that password reuse puts not only their personal data at risk, but company data also. In addition, teach them about password managers that enable a user to set long, complex passwords for each service they use all without having to remember every single password. If that doesn’t work, institute a company-wide initiative to make password managers a requirement. 

Rotating Weak Passwords Helps No One

Some networks ask their users to regularly update their passwords to diminish the likelihood of a breach. This can be effective, but users sometimes take the easy way out and simply swap back and forth between the same two passwords. By retreading a former password, these users completely defeat the intent of password rotation.

Proactive developers have attempted to increase security by disallowing users from changing their password to their previous password. But delving a bit deeper, the cracks begin to show. 

Generally, sites still allow you to leverage the next most previous password, but many go further back than that. In this case, your users could just be reusing a stable of the same 3+ passwords from service to service. It is important for them to remember the purpose of these tactics is to promote better passwords usage, not just reuse the same ones. So, the next time a compliance regulation or security event forces a password change, encourage your users to pick something much stronger than what they’ve been using.  

If a user is rotating between a few passwords in their work life, it is likely they are doing the same in their personal life. They may even be using the same passwords in many of those scenarios across both their personal and professional lives. So when major hacks happen, as with the recent surfacing of 2.2 billion stolen email and password combinations online, there is potential for some of those leaked passwords to correspond with your users’ work accounts and leave you at risk. The ability to quickly change all of a user’s passwords via an automated password service is also a handy tool in your belt in this case.

NIST 800-63 Guidelines and Password Reuse / Rotation 

To help users, NIST 800-63 guidelines recommend changes to traditional password management. These new guidelines state that users should use long, easy-to-remember passwords free from complexity requirements. For example, passwords could be short sentences instead of a simple word with a number and special symbols tacked on, like ‘Password1!’ Or, the password could be a series of popular words strung together. Then, a user should only update their password when it has been compromised. Some service providers are great at alerting account holders when potentially nefarious logins are detected from IP addresses that a user is unlikely to access a service from. 

That said, it is critical that your users understand that they are not to share passwords between public and personal life. This is an area where instituting a password manager really makes a lot of sense so that you can help your users protect valuable company data.  

Stronger Measures to Decrease Password Reuse

Of course, there are numerous other ways that IT admins can encourage their users to be safer.  Mandating and implementing MFA across as many resources as possible ensures that user logins are protected. With MFA in place, IT admins cultivate peace of mind because even if their users fail to practice good password habits, they have a second line of defense against bad actors. 

Use One Strong Identity With JumpCloud

True Single Sign-On™ from JumpCloud enables your organization to leverage password guidelines set forth by NIST 800-63 plus many others like PCI and HIPAA where password rotation may be necessary. JumpCloud enables you to set whatever kind of password requirements that you seek to implement. Then, that password is centrally managed and controlled for access to work-related computers, networks, applications, and files. 

If a user’s identity is compromised, with JumpCloud an admin can then reset the user’s password, or the user can self serve, and that change is propagated out to all of the resources the user is associated with through JumpCloud. 

Learn More About JumpCloud

Ready to get on top of password reuse and rotation in your organization? Reach out to a product expert today and see how JumpCloud can help you become more secure. 

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts