How often should you rotate passwords?

Password policies have changed over the last decade, but do we really need to rely on humans to update passwords anymore?


I hate wasting brain space trying to remember so many different passwords. 


Bank accounts, new insurance accounts every time I switched jobs, social media profiles, streaming services, shopping apps, games, online communities. 


One-off personality tests that I might revisit someday to remember what little nugget of information helped me feel seen.


That’s just in my personal life. Don’t get me started on the list of apps I’ve used for work. I’m a marketer. Have you seen the growth of the martech landscape? Tons of new tools to explore.



Back in the day, if apps didn’t support single sign-on, what did I have to do? I’d take an old password and replace letters with numbers or special characters. If I was feeling particularly confident in my memory skills, I even changed which letters were capitalized.


“Wow, Ashleigh. You’re in cybersecurity. Shouldn’t you be doing better?” I know, I know. It’s terrible practice. I’m only human. And I know I’m not alone.


According to a study on password expiration conducted at University of North Carolina at Chapel Hill in 2010, researchers found that people who were required to change their passwords frequently ended up selecting weaker passwords to begin with, and then changing them in predictable ways that attackers can guess easily.


This is why NIST and other security leaders highly recommend using password managers in lieu of mandating password rotations for non-critical, non-privileged. The everyday person doesn’t have the capacity tocare enough to completely reinvent and remember new passwords every 3-4 months for the dozens of apps they use. I definitely didn’t. In fact, password managers that could generate random passwords for me completely changed my approach to signing up for new subscriptions.


Password managers fill a need. They vault what would typically be memorized so that your brain capacity can be spent on other more important and valuable things. You could sign up for new subscriptions and generate new passwords until you’re blue in the face. 


Until suddenly, you find your credentials on the dark web due to a data breach. Now you have to go through the hassle of changing your password, updating the entry in your password manager, and remembering to hit save. 


I have, on more than one occasion, forgotten to hit save, forcing me to waste time on the “Forgot password” sequence of events. Wait for the email, click on the link, generate a new password, make sure it hits the strength requirements, and hit save in the app and in my password manager. By the end, I feel a few brain cells lighter with all motivation to maintain good security hygiene gone. Poof.


What if, at least for your work apps, you could simply automate password rotations, end-to-end, without having to remember to hit save or adjust generated passwords to fit funky strength requirements? Password rotation automation already exists for Privileged Access Management (PAM) solutions. It’s time to extend that automation to more than just critical infrastructure authentication, especially when 74% of breaches are attributed to the human element (Verizon DBIR, 2023).


Here at Cerby, we consider this one of the many aspects of securing the last mile of identity. Identity and access management (IAM) is one of the few areas in identity-first security strategies where we get the opportunity to significantly improve the user experience for the workforce. Single sign-on (SSO) is one of those charming examples, paving a way for security and IT to rebrand internally at organizations.

Read more about how we’re solving this last mile of identity for nonstandard applications, including corporate identity on social media.

See how Cerby works with your team

Download report