Why Rotate Privileged Account Passwords?

Leaving the passwords for privileged accounts static and configuring them to never expire is convenient and ensures that any system that depends on these accounts will continue to run without any intervention. For MSPs doing this can leave your company and your customers at risk from credential stealing. According to ZDNet the PyXie RAT malware can steal passwords from technicians through keylogging and recorded videos.

Targeted phishing attacks can also obtain administrative credentials by impersonating login portals for online accounts such as Office 365 and Azure AD and having technicians willingly provide privileged credentials without realizing it. Static passwords are easier to crack since they never change and if re-used from another online system, they are at risk of being hacked from a security breach.

Lastly, threats can also be found internally from technicians who are laid off or fired and have access to privileged credentials with malicious intentions. According to Huntress Labs a former MSP technician attempted to sell all their customer administrator credentials on the dark web to the highest bidder.

MFA (Multi factor authentication) is an essential tool to use that adds an extra layer of security to protect your privileged credentials. Some argue that using MFA eliminates the need to rotate passwords. That being said there is mounting evidence that MFA too can be hacked in a number of different ways including man in the middle attacks and network session hijacks according to Secureworld. Also, most recently it was discovered by Proofpoint that a new vulnerability in Microsoft 365 allows an attacker to bypass MFA. Thus, MFA alone is not a silver bullet and MSPs and IT departments should consider it as one layer in a layered security strategy.

Ideally passwords for privileged accounts should be rotated every time they are used or accessed by a technician or at the very minimum when a technician leaves or is fired. This covers internal threats from malicious technicians either employed or fired by an MSP. However, this does not cover if the password was hacked from a keylogging malware or phishing attack. Thus, the need to rotate passwords more frequently such as daily or weekly on a scheduled basis becomes much more essential.

The concept of rotating privileged account passwords makes a lot of sense but rotating all these passwords manually can be costly. Let us break this down. Here are the general steps a technician must do when they rotate a password for a privileged account in Active Directory or Azure AD (Office 365).

Let’s assume this takes an average of 1 mins per password. According to Forester research the average cost in technician time and resources is $25 per 15 mins or $100 per hour USD. Then the average cost of a manual password reset is $1.67. Here is how much it would cost every time you need to manually rotate all your privileged account passwords. If your numbers are slightly different feel free to input your own numbers for average time and cost to see where you land.

You could argue that if you had to rotate passwords once a quarter or a year that you would just suck it up and assign the work to a technician. But if you need to do this daily or weekly costs would quickly spiral out of control and let’s be honest no one in their right mind would do this daily or weekly if it was a manual process. Also, when things are busy this is the first task that would get postponed and therefore may be skipped and forgotten.

The numbers don’t lie. If you had to rotate all your privileged account passwords in Active Directory or Azure AD (Office 365) daily, weekly or monthly it would be cost prohibitive or worse would not get done leaving your MSP or enterprise exposed even if you use MFA.

Being able to automate these password rotations in a set it and forget it manner ensures it gets done without manual intervention for a substantial savings and protection your MSP or IT Department needs.