By NHI Mgmt Group Editorial TeamPublished 2025-12-01Domain: Best PracticesSource: PassBolt

TL;DR: Password manager risk is not just about storing secrets, but about how key generation, revocation, offline access, metadata exposure, and phishing resistance shape the trust model, according to PassBolt. For IAM teams, the lesson is that collaboration-friendly secrets handling still needs lifecycle control, least privilege, and explicit residual-risk management.


At a glance

What this is: Passbolt’s article explains why its password manager architecture changes the trust assumptions around secret storage, sharing, revocation, and phishing resistance.

Why it matters: It matters because teams managing NHI, human access, and secrets governance need to understand where password manager design reduces risk and where residual exposure still remains.

By the numbers:

👉 Read Passbolt’s analysis of password manager security and secret governance


Context

Password managers are often treated as simple storage tools, but the real issue is the trust boundary around keys, sharing, revocation, and metadata. For identity security teams, that boundary affects how human credentials, service credentials, and other secrets are protected across the full lifecycle.

Passbolt’s article argues that secure collaboration depends on granular control rather than a single shared vault model. That framing is relevant to NHI governance as much as human access management, because the same questions recur: who can decrypt, who can share, what persists after revocation, and what remains visible to an attacker.


Key questions

Q: How should security teams manage secrets when the password is not the decryption key?

A: Treat password compromise and secret compromise as separate events. If the password does not unlock the private key, phishing and reuse attacks become less likely to expose every stored secret. The control priority shifts to private key protection, device security, and revocation that actually removes access to the encrypted object.

Q: Why do granular permissions matter in password and secret management?

A: Granular permissions reduce blast radius by ensuring people can only decrypt the specific secrets they need. When combined with per-user encryption, access removal can be precise instead of relying on broad vault shutdowns. That makes lifecycle governance more accurate and reduces residual exposure after role changes.

Q: What do security teams get wrong about metadata in encrypted secret stores?

A: They often assume encryption makes the surrounding record harmless. In practice, searchable names, URLs, and descriptions can reveal enough context for reconnaissance, targeting, or prioritisation. Metadata should be classified and governed as part of the secret, not treated as disposable wrapper data.

Q: Who is accountable when offline access increases secret exposure?

A: The identity and security owners who approved offline access are accountable for the logging and audit trade-off. Offline capability can be valid, but only when it is intentionally enabled, tightly scoped, and monitored. If it is the default, governance has already accepted less visibility than many programmes realise.


Technical breakdown

Asymmetric key separation and password independence

Passbolt’s model separates the user passphrase from the private key, so a stolen password alone does not decrypt stored secrets. That matters because the authentication factor and the decryption factor are not the same thing. In conventional designs, a password can become an all-purpose key if the architecture derives encryption from it. Here, compromise has to cross two different control planes. For identity teams, that is a structural improvement over single-secret dependency, but it does not remove the need for strong key handling, phishing resistance, and device protection.

Practical implication: treat password compromise and secret decryption as different failure modes in your access model.

Granular permissions and per-user encryption

The article describes per-password sharing, update and owner permissions, and unique encryption for each user with access. This is a control pattern that narrows blast radius because no encrypted copy exists for people who were never granted access. It also means revocation can be immediate at the data layer rather than relying only on policy changes. For NHI governance, this is the difference between logical denial and actual cryptographic removal. The stronger the permission model, the more precise your lifecycle controls can be.

Practical implication: align entitlement design with per-object revocation, not just group membership changes.

Offline access, metadata, and residual risk

Passbolt frames offline mode and metadata visibility as deliberate trade-offs rather than default conveniences. Offline operation can reduce logging fidelity, while searchable metadata can expose names, URLs, or other context even when the payload remains encrypted. This is the part many teams underestimate: the secret may stay encrypted while the surrounding metadata still leaks enough to support targeting or enumeration. For identity programmes, the key question is not whether a control exists, but whether it preserves auditability without creating a new exposure channel.

Practical implication: review whether offline access and searchable metadata create an exposure path outside your intended governance boundary.


Threat narrative

Attacker objective: The attacker’s objective is to obtain usable secrets or decrypt protected content without having legitimate access to the private key.

  1. Entry occurs when an attacker steals a passphrase through phishing, credential stuffing, or other user compromise attempts, but cannot immediately decrypt secrets because the private key is separate from the password.
  2. Escalation is blocked or slowed because decryption still requires the private key, and the server does not distribute that key or serve cryptographic code for extraction.
  3. Impact is limited by granular permissions and revocation, which reduce the chance that one compromised account exposes every secret in the vault.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Secrets security fails when the password becomes the only gate: Passbolt’s architecture is built around the premise that authentication and decryption should not be the same event. That matters because a compromised passphrase should not automatically expose the underlying secret store. The broader lesson for identity governance is that single-factor secret dependence creates an oversized blast radius when the credential is reused or phished. Practitioners should treat password independence as a baseline design requirement, not an optional enhancement.

Granular revocation is the real control, not just granular sharing: The article’s strongest governance signal is that access removal has to delete usable encrypted access, not merely change a policy record. That is a familiar failure mode in many secrets programmes, where entitlement change does not guarantee data-level removal. The implication is straightforward: lifecycle governance for secrets must be cryptographic and operational, not only administrative.

Metadata is a governance surface, not a side issue: Searchability and auditability often depend on metadata that remains visible even when the secret itself is protected. That creates a disclosure layer around the secret store that can help attackers enumerate targets or infer business context. The named concept here is secret metadata exposure: encrypted payloads can still leak enough context to support reconnaissance and targeting. Practitioners should stop treating metadata as harmless support data.

Open review does not eliminate residual risk, but it changes the assurance model: Passbolt’s emphasis on open source, audits, and public risk analysis shifts trust from opaque assurances to inspectable controls. That does not remove compromise risk, especially when human errors, excessive access, or phishing remain in play. It does, however, force a clearer governance conversation about what is actually controlled and what is only assumed. Teams should evaluate password managers on residual-risk transparency, not marketing claims.

From our research:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to the State of Secrets Sprawl 2026.
  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
  • For broader lifecycle guidance, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for provisioning, rotation, and offboarding patterns that reduce residual secret exposure.

What this signals

Secret metadata exposure: The governance problem is no longer limited to whether a secret is encrypted. Teams now need to understand what surrounding context remains visible, how that context supports targeting, and whether searchability is worth the exposure surface. For a practical baseline on lifecycle handling, compare current practice against the Ultimate Guide to NHIs.

With 72% of organisations reporting or suspecting an NHI breach, secret management is no longer a narrow vault problem. The reader’s programme needs to connect secret storage, access governance, and revocation into one operational model rather than treating them as separate disciplines.

The next maturity step is to decide where offline access, export capability, and collaborative search actually belong in the estate. Those functions can be legitimate, but they should be exceptions with explicit governance, not defaults that quietly weaken auditability and increase the number of places an attacker can pivot.


For practitioners


Key takeaways

  • Password manager design matters most when authentication and decryption are intentionally separated, because that breaks the one-credential-to-everything pattern.
  • Granular revocation, not just shared access, is what prevents old entitlements from leaving active secrets behind.
  • Metadata, offline access, and export controls belong in the same governance review as encryption because they shape the real attack surface.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centres on secret storage, revocation, and exposure risk.
NIST CSF 2.0PR.AC-4Granular access and revocation map directly to privilege management.
NIST Zero Trust (SP 800-207)SC-4The architecture relies on explicit trust boundaries around secrets and keys.

Review secret rotation and revocation handling so no credential remains usable after access is removed.


Key terms

  • Private key independence: A design pattern where the user password does not derive or unlock the private key used to decrypt secrets. This reduces the impact of password compromise because the attacker still needs a separate cryptographic control to reach the protected data.
  • Granular revocation: A governance control that removes access to a specific secret or object at the cryptographic layer, not just in an entitlement list. It matters because access removal only works if the former user can no longer decrypt or retrieve the underlying data.
  • Secret metadata exposure: The leakage of context around an encrypted secret, such as names, URLs, descriptions, or searchable labels. Even when the payload stays protected, metadata can reveal enough information for targeting, enumeration, or prioritisation by an attacker.
  • Offline access control: The policy and technical handling of secret access when the system is used without live connectivity. In identity governance, offline access can be legitimate, but it usually weakens logging, makes audit harder, and should be treated as a controlled exception.

What's in the full article

Passbolt's full article covers the operational detail this post intentionally leaves for the source:

  • How its key management model is implemented across browser, device, and server boundaries
  • The specific controls behind granular sharing, revocation, and offline mode handling
  • The security whitepaper and audit posture that underpin its transparency claims
  • The residual-risk discussion around metadata, exports, and human error scenarios

👉 The full Passbolt article covers the architecture, residual risks, and control trade-offs in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org