The process of checking passwords against known breach data before or after they are used. In practice, it is an exposure control, not a strength control, because it answers whether a credential is already compromised rather than whether it looks complex enough.
Expanded Definition
Credential screening checks whether a password, token-derived secret, or other authentication secret appears in breach corpora before it is accepted or reused. In NHI security, the term is often applied to service account passwords, API keys, and automation credentials, where compromise can be silent and long lived. It is an exposure control because it identifies known-compromised material, not a strength control that measures entropy or length.
Practitioners should distinguish credential screening from password policy enforcement, because a complex-looking secret can still be unsafe if it has already been disclosed. That distinction aligns with the broader guidance in the OWASP Non-Human Identity Top 10 and the identity assurance model in NIST SP 800-63 Digital Identity Guidelines, even though no single standard governs screening mechanics yet. In practice, screening may occur at creation time, during rotation, or continuously against newly published breach data. The most common misapplication is treating screening as a one-time password-quality check, which occurs when organisations fail to rescan credentials after downstream exposure events.
Examples and Use Cases
Implementing credential screening rigorously often introduces friction at onboarding and rotation time, requiring organisations to weigh faster access provisioning against the risk of approving a credential that is already known to attackers.
- A CI/CD pipeline rejects a newly generated deploy token because it matches a credential found in breach intelligence, forcing a fresh rotation before release.
- An IAM workflow screens human and machine passwords during provisioning so reused secrets do not enter production accounts.
- A security team continuously rescans stored API keys after a public leak, using findings to trigger reissue and access review. That response is consistent with the exposure patterns described in the Guide to the Secret Sprawl Challenge.
- An application blocks login when an admin password appears in known breach material, then forces reset and session invalidation.
- A cloud operations team aligns screening with the operational guidance in Ultimate Guide to NHIs — Static vs Dynamic Secrets while cross-checking credential handling against NIST SP 800-53 Rev 5 Security and Privacy Controls.
Why It Matters in NHI Security
Credential screening matters because NHI compromise often starts with secrets that were valid long before defenders noticed them. Once a service account password, API key, or token is exposed, attackers can move quickly into automation, cloud control planes, and CI/CD systems. NHI Management Group research shows that 23.7% of organisations still share secrets through insecure methods such as email or messaging applications, which increases the odds that screening will be needed after the fact rather than only at issuance. That reality is reinforced in the 230M AWS environment compromise and the CI/CD pipeline exploitation case study, where stolen secrets became an operational foothold.
Screening is also a governance signal. It helps prove that organisations are not only storing secrets, but actively testing them against known exposure data and rotating them when risk is confirmed. Used well, it shortens dwell time and limits lateral movement. Used poorly, it creates a false sense of safety while secret sprawl keeps expanding. Organisations typically encounter the cost of weak screening only after a breach or token leak, at which point credential screening becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses secret exposure and validation for non-human identities. |
| NIST SP 800-63 | Defines identity assurance concepts that inform credential acceptance and reuse handling. | |
| NIST CSF 2.0 | PR.AC-1 | Supports identity and credential access governance across systems and users. |
| NIST Zero Trust (SP 800-207) | IA-5 | Credential lifecycle control is central to zero trust authentication hygiene. |
| NIST SP 800-53 Rev 5 | IA-5 | Specifies authenticator management, including replacement of compromised authenticators. |
Treat breached credentials as unacceptable authenticators and require replacement before use.