What is password rotation?
The password rotation feature based on Secret that allows users to securely store their account passwords in the platform and automatically change passwords regularly. This feature is designed to improve account security and allow users to avoid the risk of using weak passwords or using the same password for long periods of time.
Why is it important to change your password regularly?
Password rotation functionality is critical to the security of user accounts. While using a strong password is a good start, using the same password for long periods of time can be risky, especially if the password is compromised or the account is compromised. By regularly changing the password content, Mavis’s secret zero-trust architecture adds a layer of security protection.
How Mavis’s password rotation mechanism works:
For the secret, there are two different update methods:
Static, Mavis will store the password you enter for connection use.
Rotatable, Mavis will use your password to log in to the device under your settings and change the password used for the account.
When you set the secret update method to rotatable, you need to provide the rotation interval and expected password strength.
After the setting is completed, the system will automatically change the password regularly (for example, every month or every two months) according to the user's settings.
When the password is changed, the system will generate a new random password (according to your settings) and secure encryption method to replace the password on all related device.
After all rotation is completed, the results will be displayed in the audit log.
Notation
We strongly recommend that you complete the broken window settings in advance. After the secret is deleted, you can still extract the replaced password content from the break glass file.
(v1.16.0) Key rotation is not supported for devices (Linux) connected via proxy.
If you want to add or remove the device from the password rotation for any rotatable secret, you also need to set the broken window settings in advance.
If the rotation cycle unit is month and the date is set to 31, if there is no 31st in the next month, rotation will automatically brought forward to 29 or 30.
Definition of successful rotation: Password rotation is completed on all devices
Rotation failure: Once either device fails, the secret is consider rotation failed. The secret will not proceed to the next scheduled rotation.
Users can view their password rotation history and result through the audit log at any time.
FAQ
Q: Can I stop the rotation?
A: Yes, you can convert the secret's update method to static after the rotation is completed. All access services and devices will not be affected. However, if a device rotation fails, we will prohibit users from deleting the secret and changing the update method.
Q: What protocols does password rotation support?
A: SSH SFTP
Q: What formats does password rotation support?
A: Currently only the account and password format is supported. Key pair is not yet supported.
Q: Can I still connect through the key during the password rotation process or if it fails?
A: Yes, password rotation will not have any impact on the user's connection.
Q: What should I do if a device fails to update its password?
A: You can retry by clicking on the failed device in the secret detail.
Q: Under what circumstances will the password update fail?
A: There are many reasons why the password update may fail, such as insufficient system permissions, inability to connect, etc. If an unknown error occurs, please go to the audit log to view more detailed content.
Q: Will manual rotation affect scheduled rotation?
A: No, Mavis will record the last time the key rotation was completed, including if you use manual rotation. The scheduled rotation will still be based on the settings you made.
Q: Can the key settings be replaced during the rotation process?
A: Yes, but the deceive being rotated will adopt the current setting parameters of the rotation (password length, capitalization, etc.), and the changes made during the rotation process will take effect in the next rotation.
Q: Why is key rotation not available for Linux devices connected via proxy?
A: In version v1.16.0, key rotation is not supported for devices (Linux) connected via proxy. This limitation is due to the current architecture, which does not allow direct key rotation for devices connected via proxy. If key rotation is required, please ensure that the device is not connected via proxy.