Subscribe to the Non-Human & AI Identity Journal

Cleartext credentials

Cleartext credentials are usernames, passwords, tokens, or secrets stored in readable form instead of protected by proper secret management. They are dangerous because they can be reused directly by attackers and often outlive the context in which they were created.

Expanded Definition

Cleartext credentials are not just “unencrypted passwords.” In NHI security, the term covers any reusable secret exposed in readable form, including API keys, service account passwords, bearer tokens, and certificates when they are stored or transmitted without effective protection. Definitions vary across vendors on whether a token cached in memory or written to disk is “cleartext,” but the operational concern is the same: an attacker can read and reuse it without breaking cryptography.

This distinction matters because cleartext exposure is often an implementation failure, not an authentication design failure. A secret can be strong, unique, and short-lived, yet still become immediately exploitable if it is embedded in source code, environment files, logs, chat exports, or build artifacts. NHI Management Group treats the issue as part of secret lifecycle governance, not a simple password hygiene problem, and it aligns closely with the risk patterns described in the OWASP Non-Human Identity Top 10 and the NIST SP 800-63 Digital Identity Guidelines. The most common misapplication is treating an exposed secret as “temporary” when it is still valid and can be replayed from any location that can reach the target service.

Examples and Use Cases

Implementing secret handling rigorously often introduces workflow friction, requiring teams to weigh developer convenience against reduced blast radius and faster revocation.

  • Hard-coded API keys in a public repository, later harvested by automated scanners and reused against cloud services.
  • Passwords or tokens placed in CI/CD variables and then echoed into build logs, which makes the secret retrievable after the pipeline finishes. NHIMG documents this pattern in the CI/CD pipeline exploitation case study.
  • Service account credentials shared through email or messaging apps, a practice highlighted in the Guide to the Secret Sprawl Challenge and echoed in industry guidance from the OWASP Non-Human Identity Top 10.
  • Secrets embedded in application configuration files that are copied into staging, backups, or support bundles without redaction.
  • Bearer tokens left in browser history, crash reports, or shared screenshots, where they remain usable until expiry or revocation.

Why It Matters in NHI Security

Cleartext credentials are especially dangerous in NHI environments because workloads automate at machine speed, so a single leaked secret can be replayed across environments before operators notice. NHIMG’s 2024 Non-Human Identity Security Report found that 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which shows how often exposure begins with ordinary collaboration habits rather than sophisticated compromise. That same report also found that 88.5% of organisations say their non-human IAM practices lag behind or merely match their human IAM efforts, making secret sprawl a governance problem as much as a technical one.

Once a cleartext credential appears in code, logs, backups, or support tooling, defenders must assume it is already known to an attacker and rotate it immediately. This is why NHIMG research on the MongoBleed breach and the Shai Hulud npm malware campaign is so relevant: exposed secrets become immediate attack paths, not theoretical risks. Organisations typically encounter the real cost only after account abuse, data access, or cloud resource tampering is detected, at which point cleartext credentials become operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Directly addresses secret exposure, sprawl, and improper storage of non-human credentials.
NIST SP 800-63 AAL2 Explains assurance expectations for credential strength and replay resistance.
NIST CSF 2.0 PR.AC-1 Access control and credential management are core to limiting misuse of exposed identities.

Inventory, remove, and rotate exposed secrets, then enforce protected storage and access controls.