All articles

Passbolt’s New Automation of Shared Passwords Expiry

4 min. read

Vivien Muller

Vivien Muller

12 February, 2024

Passbolt’s latest Password Expiry feature is a straightforward and effective tool to improve the security of your shared passwords. It introduces automated expiry, along with visual alerts, email notifications and policies for enhanced collaborative password management. It is especially helpful in environments where forward secrecy is needed.

What is “forward secrecy”?

Imagine there's a user who was part of a group that had access to some resources, let's say a set of credentials to access some servers. When this user gets removed from the group, passbolt will delete their version of the encrypted credentials and prevent access to new entries for that group. This is what's known as "forward secrecy" – from that point on, they can't see any old or new passwords.

However, here's the twist: before they got booted from the group, they might have made copies of the passwords, maybe saved them locally or elsewhere. So, even though they can't see new passwords, they may still have access to the old ones.

Now, if this kind of situation aligns with the threat model of Passbolt – meaning, unlike most password managers, Passbolt considers "forward secrecy" issues as security risks that need to be addressed. Specifically, on top of removing access cryptographically, it is also recommended to enforce a credential reset whenever someone's access to a shared resource is revoked.

The Challenge of Password Rotation in Teams

The necessity to rotate shared passwords is a best practice of secure access management  and also required for information security compliance. Manually tracking and updating multiple passwords across multiple users and groups is time-consuming and error-prone. Therefore having a simple well defined automated process is pertinent in scenarios such as off-boarding team members or after granting temporary access to certain systems.

Fig. 1 The resource workspace with expired resources (source: Chrome)

Passbolt’s New Automated Password Expiry

Passbolt's latest Password Expiry feature automates the password rotation process for users and administrators, significantly reducing the risk of outdated or compromised credentials. It transforms a traditionally labor-intensive and often neglected security practice into a streamlined, fail-safe process, crucial for maintaining the integrity of your shared identity authentication resources. It reduces the administrative overhead and helps reduce the overall attack surface.

For teams utilizing Passbolt Community Edition (CE), the added Password Expiry feature offers fundamental capabilities to your organization:

Automated Expiry on Access Revocation: When a user access to a resource is revoked, the it is marked as expired, ensuring immediate attention is drawn to these credentials. This will work whether a user is removed entirely from the system, or removed from group, or lose access via a change in a folder or direct permission, catering for all the different scenarios.

Expiration Alerts: when a credential needs to be rotated, an email notification will be sent to the password owners. Expired credentials will also present a small warning icon on-screen, signaling the need to update it.

Owner-Controlled Expiry Reset: Password owners can automatically reset the expiry status after updating a password, maintaining smooth password hygiene.

Fig. 2 The administration password expiry settings - Passbolt Pro (source: Chrome)

Passbolt Pro Edition contains all the Password Expiry features present in the Community Edition and extends them with advanced functionalities:

Password Expiry Policies: Administrators can set default expiry periods for new passwords, establishing a proactive approach to password rotation.

Advanced Notifications for Expiry: Notifications are sent before a password's expiry date, allowing teams to plan and act before falling out of compliance.

Intuitive User Interface: Users can view, set, and adjust expiry dates directly from the main password workspace grid, ensuring a user-friendly experience.

Flexible Policy Adaptation: Users can manually adjust expiry dates to align for example with a project timeline or specific security requirements.

Fig. 3 Manually setting a password expiry date (source: Chrome)

The Business Benefits of Passbolt's Password Expiry Feature

Forrester's research shows that each manual password reset can cost around $70, leading to large enterprises spending over $1 million annually on password-related support. Passbolt steps in to tackle this financial burden head-on by automating password generation and expiry.

Enhanced Security: Security is non-negotiable in today's digital landscape. Passbolt's automated password expiry feature fortifies your defenses, reducing the likelihood of costly security breaches that could damage your business reputation and bottom line.

Increased Efficiency: Automated alerts and easy-to-manage expiry settings significantly reduce the administrative workload, thereby lowering costs associated with manual labor and allowing teams to focus on their core responsibilities.

Improved Compliance: Passbolt's ability to enforce and track password rotations simplifies adherence to various standards, mitigating the risk of fines and minimising resource drain associated with security incidents.

Adoption Ease: To enhance the adoption rate of essential security features, Passbolt's Password Expiry caters to the varied workflows of teams, balancing strong security with user convenience to maximize all the business benefits of the new feature.

Try the New Password Expiry

The basic password expiry feature is now live in the Passbolt Community Edition. And guess what? For those craving even more advanced functionalities, administrators can dive into the Passbolt Pro Edition, offering a whole new level of password management collaboration.

But we're not just here to tell you about it – we want you to get hands-on! We encourage all users to give this feature a try, share your thoughts, and chat with us on the community forum. And a big shoutout to our amazing Passbolt community for helping shape this feature! 

Together, let's keep Passbolt at the forefront of collaborative password management solutions.