Password Day exposes the real identity risk: uncontrolled access

At a glance

What this is: This is a commentary on Password Day that argues passwords remain risky mainly because access to them is still poorly controlled across human and non-human identities.

Why it matters: It matters because IAM teams cannot close the gap with password complexity alone when the same secret is shared, embedded, or left offboarded across people, scripts, and service accounts.

👉 Read Netwrix's blog post on controlling passwords and shared secrets

Context

Password risk is no longer just about weak user choices. In modern environments, the deeper issue is that passwords often stand in for access control across employees, shared admin accounts, scripts, applications, and temporary spreadsheets that become permanent.

For IAM and NHI teams, that creates a governance problem that spans human identity, service account access, and lifecycle management. If access is scattered and ownership is unclear, passwords become a proxy for lost control rather than a simple authentication method.

Key questions

Q: How should security teams control shared passwords across users and systems?

A: Treat every shared password as a governed identity asset, not a convenience. Assign a named owner, define where it is allowed to work, and keep a full audit trail of access and changes. If multiple people or scripts depend on the same secret, rotation and offboarding must be operationally tested before the credential is accepted as safe.

Q: Why do passwords become a bigger risk as organisations grow?

A: As organisations scale, ownership gets blurred and more people begin depending on the same secrets. That makes it harder to know who used a credential, who should rotate it, and what breaks if it changes. Growth turns passwords into invisible infrastructure, which is why governance, not complexity, becomes the decisive control.

Q: What do teams get wrong about secrets stored in spreadsheets?

A: They assume the spreadsheet is temporary when it has already become part of the access control model. Once secrets live in ad hoc files, the organisation loses visibility, auditability, and reliable offboarding. The real issue is not the file format. It is the fact that uncontrolled distribution has replaced governed access.

Q: How do access reviews help with password and secret governance?

A: Access reviews expose whether a password or secret still has a legitimate owner, active use, and a valid business purpose. They work best when linked to rotation and offboarding, because review alone cannot fix a credential that still exists in multiple places. The goal is to confirm that access is both necessary and revocable.

Technical breakdown

Why shared credentials break password governance

Shared credentials collapse accountability because one secret can be used by multiple people, systems, or scripts without a reliable ownership trail. Once that happens, rotation becomes risky, offboarding becomes uncertain, and audit evidence degrades. The technical issue is not the password format itself, but the absence of a controlled identity boundary around the secret. A password used by five parties is effectively a shared control surface, not a personal credential.

Practical implication: map every shared credential to a named owner, usage boundary, and rotation path before you attempt to tighten policy.

Why spreadsheets and ad hoc vaults create hidden access paths

When secrets move into spreadsheets, chat threads, or unmanaged vaults, the organisation loses visibility into who can read them, when they were used, and whether they were changed. That makes the secret lifecycle non-auditable. In identity terms, the secret is still alive even when the team believes it is temporary, because no authoritative system governs its distribution or retirement. This is a control failure, not a storage preference.

Practical implication: consolidate secrets into one governed system of record and remove informal copies from collaboration tools and files.

How password controls must scale across human and machine identities

At scale, password governance has to extend beyond employee logins to service accounts, application secrets, and script-bound credentials. Those identities often outlive the people who created them, and they are the ones most likely to be embedded in fragile workflows. The security model has to assume that credential use, rotation, and revocation will be operational events, not occasional cleanup tasks. That is where lifecycle governance becomes the real control plane.

Practical implication: include service accounts and embedded secrets in the same review, rotation, and offboarding process as user credentials.

Threat narrative

Attacker objective: The attacker objective is to turn routine credential sprawl into durable, unaudited access that survives normal governance processes.

1. Entry begins when a password is copied into spreadsheets, scripts, or shared admin workflows, creating multiple uncontrolled access paths.
2. Escalation follows when the same credential is reused across systems, making ownership unclear and rotation difficult without operational disruption.
3. Impact occurs when leaked or stale credentials allow unauthorised access, persistence, or offboarding gaps that the organisation cannot quickly prove or reverse.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Password control fails when ownership is informal: The central issue is not that passwords exist, but that many of them are created, shared, and maintained outside any durable governance boundary. That breaks accountability, makes rotation a business risk, and leaves offboarding dependent on memory instead of control. Practitioners should treat every shared password as an unmanaged identity object until proven otherwise.

Identity lifecycle discipline matters more than password strength: A complex password stored in three places is still exposed if no one can answer who uses it, when it changes, and how it is retired. That is why access reviews, offboarding, and rotation belong in the same operational conversation. The implication is simple: password policy without lifecycle governance creates an illusion of control.

Controlled vaulting is a governance model, not a storage decision: The industry keeps framing password problems as user behaviour, but the real failure mode is fragmented access architecture. Once secrets are split across spreadsheets, personal vaults, and tribal knowledge, the organisation loses the ability to enforce least privilege in practice. Teams should measure how many secrets sit outside a governed system, not just how many passwords exist.

Human IAM and NHI governance are converging around the same control gap: Shared admin credentials, service account passwords, and embedded application secrets all fail in the same way when no one owns their lifecycle. That makes password governance an enterprise identity issue, not a user authentication issue. Practitioners should align human access controls and machine credential controls under one lifecycle model.

The named concept here is spreadsheet secret debt: once a temporary access file or ad hoc document becomes a de facto control system, the organisation inherits hidden risk that is hard to audit and harder to unwind. That debt accumulates because operational convenience outlives the original exception. The practitioner takeaway is to track where informal secret stores have replaced the system of record.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slow remediation turns exposure into persistence.
• For a broader lifecycle view, see the Ultimate Guide to NHIs for visibility, rotation, and offboarding patterns that apply across human and non-human identity.

What this signals

Spreadsheet secret debt: the longer organisations rely on informal stores for credentials, the more their identity programme drifts away from actual control and toward assumed control. That drift is especially dangerous when the same secret spans human access and machine access, because neither review cadence catches the full blast radius. The governance signal is to find every place where a temporary exception has become a permanent control.

A passwordless future will reduce dependence on shared secrets, but it will not remove the need for lifecycle governance over the credentials that remain. Teams should prepare for a mixed estate where human authentication modernises faster than service account and application secret handling. That means the control gap will persist unless identity owners explicitly manage both sides of the boundary.

The right metric is not how many passwords exist. It is how many credentials sit outside a governed system of record, how many have ambiguous ownership, and how many cannot be rotated without manual workarounds. That is the point where control has already degraded, even if authentication still appears to function.

For practitioners

• Inventory every non-human password path Identify shared admin accounts, service account passwords, embedded application credentials, and any temporary access spreadsheets that now function as permanent records. Assign a named owner and record the system each secret unlocks.
• Consolidate secrets into one governed vault Move credentials out of chat threads, spreadsheets, and personal storage into a single controlled system with explicit access rules, audit trails, and change history.
• Tie rotation to operational ownership Require a documented recovery path before rotation so teams do not avoid changing credentials because a script, application, or integration might break.
• Include offboarding in every credential review Verify that access removal is immediate for departed staff, former contractors, and deprecated service accounts, then test that removal against the systems those credentials still reach.

Key takeaways

• Passwords are not the real problem. Uncontrolled access to passwords is.
• When ownership, rotation, and offboarding are unclear, password risk becomes an identity governance failure.
• A governed vault and lifecycle discipline matter more than complexity rules once secrets spread across people, scripts, and files.

Key terms

• Shared Credential: A shared credential is a password or secret used by more than one person, process, or system. It weakens accountability because usage cannot be tied cleanly to a single identity, and rotation or revocation can disrupt dependent workflows unless ownership and dependencies are formally managed.
• Secrets Sprawl: Secrets sprawl is the uncontrolled distribution of credentials across files, chat tools, scripts, personal vaults, and ad hoc storage. It creates hidden access paths and makes it difficult to know where secrets live, who can use them, or whether they can be safely rotated or removed.
• Identity Lifecycle Governance: Identity lifecycle governance is the discipline of managing access from creation through review, rotation, and revocation. It applies to human identities and non-human identities alike, because the control problem is the same: access must remain owned, auditable, and removable throughout its useful life.
• Spreadsheet Secret Debt: Spreadsheet secret debt is the accumulated risk created when temporary files become informal control systems for credentials. The organisation inherits hidden access, unclear ownership, and poor auditability, then struggles to remove the file because people now depend on it for day-to-day work.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: My favorite day of the year: Password Day. Read the original.