In Best Practices, Blog, Security, User Management

password reuse and rotation

We have previously written about why you should avoid password reuse. In short, when employees reuse passwords across sites, it increases their company’s chances of being hacked.

Limited Options in Addressing Password Reuse

There’s not much that IT admins can do to address this security concern, since they have no control over their users passwords on personal sites. Nothing can prevent people from reusing their personal passwords as their corporate passwords and vice versa. That’s an issue, because if a site that a user is leveraging in their personal life gets hacked, then that compromises the security of any network to which they have access.

Rotating Passwords to Increase Security

Some networks ask their users to regularly update their passwords to diminish the likelihood of a breach. This can be effective, but users would take the easy way out and simply swap back and forth between the same two passwords. By retreading a former password, these users completely defeat the intent of password rotation.

Proactive developers have attempted to increase security by disallowing users from changing their password to their previous password. Sounds good, right? But delving a bit deeper, the cracks begin to show. Generally these sites still allow you to leverage the next most previous password. If so, then users can merely have a rotation of three passwords.

If a user is rotating between a few passwords in their work life, it is likely they are doing the same in their personal life. They may even be using the same passwords in many of those scenarios across both their personal and professional lives. So when major hacks happen  as with the 1.6B passwords stolen from LinkedIn by a Russian crime gang — it is not just the people themselves at risk, but their employers as well.

Stronger Measures to Decrease Password Reuse

Of course, there are numerous other ways that IT admins can encourage their users to be safer. As we discussed earlier, having different passwords across all services is a good start. So is using a password manager. For corporate solutions such as G Suite™ (formerly Google Apps) and AWS®, adding multi-factor authentication is also a huge step forward.

Improving Password Rotation Security

interface password management

One subtle, yet powerful, step that IT admins can take is to limit the reuse of the last several previous passwords. By not allowing the previous 5, 7, or even 10 passwords, it will force users to have unique passwords.

If those passwords are rotating on a reasonably frequent basis, then the passwords across the users personal and professional lives will become out of sync and cease to overlap. So this little step can dramatically increase the security of your network and make your organization immune from the hacking of users’ personal accounts.

Stop Password Reuse with JumpCloud®

JumpCloud® Directory-as-a-Service® password builder functionality enables IT admins to set whatever threshold they would like for password reuse.

Our advice is set it high. Not only will it force your users to come up with new passwords, but it will help keep them out of sync with the web services that they use personally. That means your IT admins finally can sleep at night knowing that password reuse isn’t going to undermine your organization’s security.

If you would like to learn more about how JumpCloud Directory-as-a-Service can help secure your infrastructure, drop us a note. Also, feel free to check out our cloud-based directory yourself. Your first 10 users are free forever.

Recent Posts