# Best practices for managing password desynchronization Cerby securely manages and rotates application passwords for users. Password desynchronization occurs when Cerby stores one password, but the target application expects a different one. When this happens, users may experience login failures, and automated password rotation may not work as expected. The following scenarios describe where password desynchronization is most likely to occur and the actions you can take in Cerby to prevent it: * [User deactivated and later reactivated](#user-deactivated-and-later-reactivated) * [Access revoked without credential cleanup](#access-revoked-without-credential-cleanup) * [Manual password changes outside of Cerby](#manual-password-changes-outside-of-cerby) The following sections explain each scenario, its impact, and the suggested steps to recover from and prevent it. *** ## User deactivated and later reactivated When a user is deprovisioned, whether removed from the identity provider (IdP) or directly from a downstream application, the affected application may disable the account or invalidate the password based on its own policies or configuration. By design, Cerby does not automatically restore a user's original accounts when they are reactivated, because their access grants may have changed. ### Impact * Users cannot log in after reactivation. * During the user's deactivation, the downstream app may have disabled or suspended the account natively. If Cerby later attempts to run an automated password rotation job, it may fail because the account is no longer accessible. * The downstream application may invalidate the previous password because of inactivity or its own security policies. Because Cerby's automated rotation process typically requires the current stored password to set a new one, the application may reject the attempt as an invalid login. ### How to recover A workspace **Admin**, **Super Admin**, or account **Owner** can take the following actions: * Trigger password rotation after user deprovisioning to ensure Cerby retains the latest password and the deactivated user is unable to log in. * Confirm the user account is active in the app. * Re-run access provisioning workflows. {% hint style="danger" %} **IMPORTANT:** If Cerby's password rotation fails for the account, contact . {% endhint %} ### Prevention * Treat user reactivation as a new access event. * Always rotate or verify passwords after offboarding and onboarding users. *** ## Access revoked without credential cleanup This scenario occurs when a user's access is removed in Cerby, but the downstream application account or password remains active. If access to a credential is removed in Cerby without rotating or disabling the downstream credential, that credential becomes "unmanaged". Cerby no longer rotates or monitors the password, and native changes may occur without Cerby's involvement. This scenario might typically happen if: * An application has an automatic password expiration policy, such as a 90-day password expiration policy, that continues while the account is unmanaged. * The account no longer has a designated **Owner** to manage its lifecycle. ### Impact * Cerby attempts to use the last known password on file, but the downstream application rejects it because the password was changed natively while Cerby was no longer managing it. * Users may have access to the account but still be unable to log in. * Support requests may increase. ### How to recover Account **Owners** must take the following actions: * Perform a complete password reset in the downstream application, then update the password in Cerby. * Re-onboard the credential if required. * Validate the login before restoring access broadly. ### Prevention * Align access revocation with credential lifecycle actions. * Use standardized offboarding workflows. * Ensure accounts always have an **Owner**. Workspace **Admins** can use the [Security Hub](https://help.cerby.com/setup-and-admin/security-governance/security-hub) to identify orphaned accounts, assign new **Owners**, and help keep passwords valid. *** ## Manual password changes outside of Cerby This scenario occurs when an administrator changes the password directly in the downstream application instead of through Cerby. As a result, Cerby stores an outdated password, which may later cause conflicts during login or rotation. ### Impact * Login failures. * Unexpected password resets. * Rotation conflicts. ### How to recover Account **Owners** must take the following actions: * Reset or re-sync the password using Cerby. * Update the password manually in Cerby. * Confirm Cerby is managing the credential again. ### Prevention * Restrict manual password changes in the app, where possible, using [Cerby's app settings restrictions](https://help.cerby.com/setup-and-admin/workspace-settings/extension-settings/app-setting-restrictions/explore-app-setting-restrictions) to prevent external password modifications made directly in the app. * Avoid changing application passwords outside of Cerby whenever possible. * Educate admins and users to avoid manual password resets. *** ## Best practices for preventing password desynchronization To reduce password desynchronization, use your identity provider (IdP) or identity governance and administration (IGA) solution to manage identity lifecycle events, and use Cerby to manage and rotate downstream application passwords. Follow these best practices: * Use standardized user offboarding and re-onboarding workflows through the appropriate IdP or IGA solution. * Treat any instance of re-adding, reactivating, or restoring access as a potential password reset event. * Rotate or verify passwords after major admin and account **Owner** changes. * Configure [Cerby's app settings restrictions](https://help.cerby.com/setup-and-admin/workspace-settings/extension-settings/app-setting-restrictions/explore-app-setting-restrictions) to prevent external password modifications made directly in the app. * Regularly monitor password health, rotation logs, and login success. * Enable Cerby to rotate passwords after users are deprovisioned from the IdP. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.cerby.com/tips-and-troubleshooting/best-practices/accounts/best-practices-for-managing-password-desynchronization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.