Credential Hygiene

Credential hygiene is the discipline of creating, storing, using, and separating passwords and secrets in a controlled way. It includes avoiding reuse, keeping work and personal accounts separate, and making the governed path easy enough that people do not work around it.

Expanded Definition

Credential hygiene is more than password discipline. In the NHI context, it means governing how secrets, API keys, certificates, tokens, and passwords are created, rotated, stored, and separated so that one compromise does not cascade across systems. Good practice draws a clear line between human accounts and machine identities, and between interactive access and automated execution. The operational aim is simple: make the approved path safer and easier than shadow methods, so engineers do not reuse credentials, copy them into tickets, or place them in scripts.

Definitions vary across vendors on how broad the term should be. Some use it narrowly for password handling, while others include storage, distribution, rotation cadence, and separation of duties for all secrets. NHI Management Group treats credential hygiene as a control discipline, not a one-time behavior. That aligns with the OWASP Non-Human Identity Top 10 and with identity assurance concepts in the NIST SP 800-63 Digital Identity Guidelines. The most common misapplication is treating credential hygiene as a user-training problem, which occurs when teams ignore automated secret handling and rely on policy alone.

Examples and Use Cases

Implementing credential hygiene rigorously often introduces friction for developers, requiring organisations to weigh speed of delivery against the cost of tighter secret controls.

• A platform team stores production API keys in a managed secrets system rather than in source code, aligning with the guidance in Guide to the Secret Sprawl Challenge.
• An engineering group uses separate credentials for CI/CD runners, cloud automation, and personal admin access, reducing the blast radius if one path is exposed.
• A security team replaces long-lived shared passwords with short-lived tokens and dynamic secrets, a pattern discussed in Ultimate Guide to NHIs and Static vs Dynamic Secrets.
• A software supplier removes hardcoded credential from build artifacts after a supply chain review, using lessons seen in the Reviewdog GitHub Action supply chain attack.
• A cloud operations team enforces separate identities for each environment, so test, staging, and production do not share the same keys or certificates.

Why It Matters in NHI Security

Credential hygiene is a direct NHI security control because poor handling of secrets turns a small exposure into full workload compromise. Once a secret is reused, copied into chat, or left in a repository, attackers can pivot into cloud APIs, automation pipelines, and agent toolchains. NHI Management Group research shows that 23.7% of organisations still share secrets through insecure methods such as email or messaging applications, while 88.5% say their non-human IAM practices lag behind or merely match their human IAM efforts. That gap is exactly where attackers find leverage.

This risk is visible in incidents such as the 230M AWS environment compromise and the MongoBleed breach, where exposed credentials became an entry point rather than a minor hygiene issue. It also overlaps with the OWASP Non-Human Identity Top 10, which treats secret exposure and lifecycle weakness as core NHI failure modes. Organisations typically encounter the business impact only after an alert, breach, or anomalous cloud bill, at which point credential hygiene becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What breaks when credential hygiene is weak in enterprise environments?
• What is the difference between an identity, a credential, and a secret?
• What is NHI hygiene and why is it the foundation of NHI security?
• What is credential injection risk and how does it occur?