Credential Rotation

The idea that rotating passwords and keys is a beneficial security practice is a myth. While credential rotation can be a valid reactive measure after a breach or a requirement for compliance reasons, it doesn't prevent an attack in the first place. Instead of focusing on credential rotation, you should focus on preventing leakage in the first place.

Password Rotation


Rotating passwords doesn't work.

Rotating passwords on a regular basis can lead to worse security by encouraging poor password hygiene among users while offering little benefit against modern cyber threats. Users will tend to use predictable patterns or simply reuse the same passwords accross multiple accounts. Furthermore, many users will end up just writing their passwords down on a sticky note or elsewhere which can lead to even more compromises.

What works?

Require a strong password with a minimum of 75 bits of entropy. We recommend a minimum password length of 20 characters. Use password screening to check against commonly used passwords or list of previously breached passwords to prevent weak credentials in the first place. Make MFA mandatory, implement conditional access and use real-time monitoring measures.


Key Rotation


The Argument For Rotating Keys.

Cybersecurity key rotation is the process of regularly replacing cryptographic keys used to encrypt data, authenticate systems, or authorize access to services. This practice reduces the risk of attackers exploiting compromised or long-lived keys by limiting the period during which a single key is vulnerable, thereby enhancing overall security, ensuring compliance with regulations, and mitigating the impact of data breaches. Key rotation is important for mitigating risk, ensuring compliance and is a good proactive security measure against unforseen threates and the potential exposure of secrets over time.

Rotating keys can be tricky.

There are many different types of keys. API keys, encryption keys, certificate keys, access keys like ssh keys and more. There are definitely situations where key rotation is required such as compliance reasons, preventing terminated employees from gaining access or after a possible breach occurred. However, key rotation can create unnecessary operational overhead and added complexity if it isn't automated. Frequent manual key rotations interrupt development cycles and introduce a high risk of misconfiguration or system outages. Rotating keys can lull organizations into a false sense of security as well.

Why are you rotating the keys?

Most of the time it is to limit the window of opportunity for attackers to exploit compromised credentias or to limit the amount of data encrypted with a single key. So you're saying that a hacker could have possibly gotten your previous key, but can't get your current one? You don't know if one of your keys is compromised? If you don't know that, then how are you going to protect the new key? Rotating an asymmetric key does not protect data previously encrypted with that key which a hacker could still decrypt. If your current keys aren't secure then your rotated keys likely won't be either. Instead of relying on key rotation, focus on preventing key leakage in the fist place.

What works?

Focus on preventing key leakage by implementing least privilege principles for keys. Implement MFA, Conditional Access and Zero Trust. For all keys that require rotation, use an automated process. Utilize automated monitoring of key usage and activity in real-time. Adopt instant revocation of compromised keys.