top | item 29101167

Ask HN: Articles about key rotation being worthless

2 points| brokenwren | 4 years ago

I need some articles with respect to why the current key rotation recommendations do very little to improve security overall. Given that NIST recommends 1-2 years and others recommend 90-180 day windows, this still gives a disgruntled employee or some other attacker a LOT of time to hack you if they have access to an API key or private key. Does anyone have links to good articles/blogs/white-papers/research about this problem?

7 comments

detaro|4 years ago

That's primarily an argument to rotate keys quicker - computers don't care that they have to remember new passwords all the time (which is the main argument against password change requirements: it encourages bad practices from users), so you can do schemes like OAuth2's Refresh Tokens. (and even slow-ish rotation helps with keys forgotten in random places)

brokenwren|4 years ago

I completely agree. But even at 15 or 30 days, it's too long. The only way to protect a key would be to rotate it every day or every hour.

yuppie_scum|4 years ago

Just rotate your damn keys. Easy this day with KMS, Vault etc

brokenwren|4 years ago

I agree with you, but it should be WAY faster than every 90 days. I'm trying to find articles that address the fact that NIST and others are worthless since they recommend every 1-2 years.