Why Rotate Privileged Account Passwords?
Rotating privileged account passwords is crucial for MSPs to mitigate risks from credential theft via malware like PyXie RAT, phishing attacks, password reuse vulnerabilities, insider threats such as disgruntled former employees selling credentials, and despite the use of MFA—which can be bypassed through various sophisticated attacks—static passwords remain a significant security liability.
Leaving the passwords for privileged accounts static and configuring them to never expire is convenient and ensures that any system that depends on these accounts will continue to run without any intervention. For MSPs, doing this can leave your company and your customers at risk from credential stealing. According to ZDNet, the PyXie RAT malware can steal passwords from technicians through keylogging and recorded videos.
Targeted phishing attacks can also obtain administrative credentials by impersonating login portals for online accounts such as Office 365 and Azure AD and having technicians willingly provide privileged credentials without realizing it. Static passwords are easier to crack since they never change and if re-used from another online system, they are at risk of being hacked from a security breach.
Lastly, threats can also be found internally from technicians who are laid off or fired and have access to privileged credentials with malicious intentions. According to Huntress Labs, a former MSP technician attempted to sell all their customer administrator credentials on the dark web to the highest bidder.
Why rotate passwords when you use MFA?
MFA (Multi-factor authentication) is an essential tool to use that adds an extra layer of security to protect your privileged credentials. Some argue that using MFA eliminates the need to rotate passwords. That being said, there is mounting evidence that MFA too can be hacked in a number of different ways including man-in-the-middle attacks and network session hijacks according to Secureworld. Also, most recently it was discovered by Proofpoint that a new vulnerability in Microsoft 365 allows an attacker to bypass MFA. Thus, MFA alone is not a silver bullet and MSPs and IT departments should consider it as one layer in a layered security strategy.
How often should I rotate passwords?
Ideally, passwords for privileged accounts should be rotated every time they are used or accessed by a technician or at the very minimum when a technician leaves or is fired. This covers internal threats from malicious technicians either employed or fired by an MSP. However, this does not cover if the password was hacked from a keylogging malware or phishing attack. Thus, the need to rotate passwords more frequently such as daily or weekly on a scheduled basis becomes much more essential.
How much does it cost to rotate passwords manually?
The concept of rotating privileged account passwords makes a lot of sense but rotating all these passwords manually can be costly. Let us break this down. Here are the general steps a technician must do when they rotate a password for a privileged account in Active Directory or Azure AD (Office 365).
- 1.Look up documentation for current resource password.
- 2.Access the resource via remote control solution or web browser
- 3.Login
- 4.Open Active Directory Users and Computers or Azure AD
- 5.Locate the account to reset
- 6.Choose a new password
- 7.Perform the reset
- 8.Update the password on the windows service or scheduled task (if applicable)
- 9.Update the documentation
- 10.Repeat steps 1 – 9 for the next privileged account.
Let’s assume this takes an average of 1 minute per password. According to Forester research, the average cost in technician time and resources is $25 per 15 minutes or $100 per hour USD. Then the average cost of a manual password reset is $1.67. Here is how much it would cost every time you need to manually rotate all your privileged account passwords. If your numbers are slightly different, feel free to input your own numbers for average time and cost to see where you land.
You could argue that if you had to rotate passwords once a quarter or a year that you would just assign the work to a technician. But if you need to do this daily or weekly, costs would quickly spiral out of control and, let’s be honest, no one in their right mind would do this daily or weekly if it was a manual process. Also, when things are busy, this is the first task that would get postponed and therefore may be skipped and forgotten.
Why should I automate password rotation?
The numbers don’t lie. If you had to rotate all your privileged account passwords in Active Directory or Azure AD (Office 365) daily, weekly, or monthly, it would be cost prohibitive or worse, would not get done, leaving your MSP or enterprise exposed even if you use MFA.
Being able to automate these password rotations in a set-it-and-forget-it manner ensures it gets done without manual intervention for a substantial savings and protection your MSP or IT Department needs.
Related
QGuard
The QGuard whitepaper by CyberQP, authored by Jim Jessup, presents a Zero Trust security platform that enforces least privilege access with tools like QGuard for secure, time-limited technician access and QDesk for end-user privilege management, aiming to reduce risks such as ransomware and credential-based attacks, while also detailing how CyberQP assists partners in aligning with the updated 2024 CMMC framework, particularly addressing changes affecting Cloud Service Providers as Security Protection Assets and helping IT teams navigate compliance requirements.
Why Rotate Privileged Account Passwords?
Rotating privileged account passwords is crucial for MSPs to mitigate risks from credential theft via malware like PyXie RAT, phishing attacks, static password vulnerabilities, insider threats, and despite the use of MFA—which can also be compromised through various sophisticated attacks—making password rotation an essential security practice.
It is 2026. Is Your Privileged Password Rotation Still Not Automated
The 2025 Louvre heist, where thieves accessed the museum's video surveillance system using the simple password "Louvre," highlights the severe risks of weak, static privileged passwords and outdated security systems, underscoring the urgent need for automated privileged access management in IT security.
5 Ways to Rotate Active Directory Service Account Passwords
The article outlines five methods for rotating Active Directory service account passwords, emphasizing the importance of password security against ransomware and breaches, and detailing pros and cons of approaches such as scripting automated password updates with PowerShell, implementing MFA to avoid password changes, and using long complex passwords stored securely, while highlighting challenges like manual effort, costs, and security risks associated with each method.
CyberQP FAQ
CyberQP, formerly Quickpass, is a SOC 2 Type 2 certified Zero Trust Access Management platform designed for Enterprise IT Teams and MSPs, offering Privileged Access Management (QGuard) and End-User Access Management (QDesk) solutions that support the Microsoft ecosystem and provide secure elevated access, identity verification, and risk reduction against social engineering and over-privileged accounts, with free trials available upon request.
How to Rotate Active Directory Service Account Passwords
The article discusses the importance of rotating Active Directory service account passwords to enhance security against ransomware and breaches, outlining three main approaches: automating password updates with PowerShell scripts (which reduces manual effort but requires maintenance), implementing Multi-Factor Authentication to avoid password changes (which adds security but involves costs and potential risks if passwords never change), and using extremely complex passwords stored securely in encrypted vaults, each method having distinct advantages and drawbacks.
