password rotation

  • 26 June 2019
  • 3 replies

Userlevel 1
Badge +4
Hello Support

it would be great if we could force our customer to change their password on a time range basis - IE every month. It would greatly improve security as we are pretty sure some of our customer neve changed their password/security code.


3 replies

Userlevel 7
Badge +27

I don't have Webroot's password manager, but it was my understanding it was based on LastPass. If I'm wrong, someone please say so. However, if I'm right, then there is an option in the Enterprise edition of LastPass that does exactly what you want. The question would then be, did this option get carried over to Webroot's password manager. Unfortunately, I can't answer that, but support might be able to. I suggest submitting a support ticket and seeing if it's available.

Just a matter of security, your example was forcing a change every month. Security experts don't suggest this approach because it will produce bad security hygiene in your environment. How this happens is when the following happens:
  1. January = Creativity#12
  2. February = Creativity#23
  3. March = Creativity#34
  4. April = Creativity#45
  5. May = Creativity#56
  6. June = Creativity#67
  7. July = Creativity#78
  8. August = Creativity#89
  9. September = Creativity#90
  10. October = Creativity#01
  11. November = Creativity#19
  12. December = Creativity#28
Notice that the word and special character in the password stay the same, only the numbers change. This is because employees don't want to remember a new password constantly, so they only modify a small portion of the password they are using. A better solution is to force a change ever 6 months or once a year. If you have to have a shorter time frame between changes, I don't suggest anything less every 3 months. Remember, being over secure can be just as bad as being insecure.

Also, don't forget to vote on your own idea. The system doesn't automatically vote on the posters behalf.

Good Luck,
Userlevel 1
Badge +4
Hello Nic

My request was about the login credentials in Webroot Global Site Manager, those should be changed frequently to prevent abuse from an attacker that, in some way, has aquired them.

Thanks for the suggestion about voting, I just voted for my own idea.

Userlevel 7
Badge +27

Sorry, I completely misunderstood! In that case, your idea is valid. However, I still stand by my point about changing the password too often. Though, having a way to force the sites user to reset their password on a schedule would be a useful tool. Not only would I suggest a change every 6 months or once a year, but I would also suggest that the policy not allow the following:
  1. Reuse the last x number of passwords. x being a number you can set. i.e. 1-10
  2. Not allow the user to reuse part of a password that was used in the x number of passwords. This is how LastPass solves the problem of my previous post's example. It keeps the user from using the word "Creativity" in those x number of passwords.
I hope those suggestions were more inline with what you're needing, and again I'm sorry for the confusion. 🤔 Congrats on voting! 👍