Skip to main content

Credential rotation checklist

Why rotate credentials?

Regularly changing passwords and keys reduces the risk of compromised accounts. IllusionCloud recommends rotating credentials whenever you:

  • Complete your first login.
  • Add or remove team members.
  • Suspect your server was accessed unlawfully.
  • On a periodic basis (e.g., every 90 days).

Rotation checklist for Linux VPS

  • Change root password: log in via SSH and run passwd.
  • Create & rotate SSH keys: generate a new key pair locally with ssh-keygen and replace the old public key in ~/.ssh/authorized_keys. Remove old keys once new keys are confirmed.
  • Update sudo user passwords: change passwords for non‑root users who have sudo privileges.
  • Update application passwords: if you installed services (databases, control panels), reset their admin passwords.

Rotation checklist for Windows VPS

  • Change Administrator password: log in via RDP and use Ctrl+Alt+EndChange a password or the Computer Management snap‑in.
  • Create a new administrative user: create a second account with administrative privileges, then disable RDP login for the built‑in Administrator to reduce brute‑force attacks.
  • Update service passwords: update saved credentials in scheduled tasks, IIS application pools, databases, etc.

General guidelines

  • Use long, complex passwords and unique passphrases.
  • Store credentials securely using a password manager.
  • Remove obsolete accounts or keys when team members leave.
  • Update saved credentials in remote desktop clients, SSH configs, or automation scripts.
  • Document your rotation schedule and audit logs of who changed credentials and when.
  • If you lose access after rotating credentials, use the console access provided via the Client Area to regain access.
Back to top