By NHI Mgmt Group Editorial TeamPublished 2026-02-17Domain: Best PracticesSource: Infisical

TL;DR: Repeated compromise patterns around Passwordstate show why teams should separate human password storage, machine secrets, and privileged access instead of treating one vault as a universal control, according to Infisical. The governance problem is not just patching a product, but designing the right identity boundary for each credential type.


At a glance

What this is: This is an independent analysis of why Passwordstate is no longer a safe default and which replacement category fits each credential problem.

Why it matters: It matters because IAM teams need to stop collapsing human passwords, machine secrets, and privileged access into one control model that creates audit, lifecycle, and blast-radius gaps.

👉 Read Infisical's guide to replacing Passwordstate with the right credential controls


Context

Passwordstate became attractive because it kept credentials on-premises for organisations that could not use cloud-hosted tools. The issue is that many teams used it for three different jobs at once: human password storage, machine secret management, and privileged access handling, even though those problems need different governance controls.

Once a password manager starts holding API keys, tokens, certificates, and service credentials, the lifecycle and access model changes. That creates an identity governance problem, not just a tooling problem, because secret exposure, offboarding, rotation, and audit expectations differ across human accounts, NHI workloads, and privileged infrastructure access.


Key questions

Q: What breaks when one vault is used for human passwords, machine secrets, and privileged access?

A: The access model becomes inconsistent because each credential type has a different lifecycle, review cadence, and blast radius. Human passwords need secure sharing and audit, machine secrets need programmatic retrieval and rotation, and privileged access needs session governance. When one vault handles all three, ownership gets blurred and compromise impact expands.

Q: Why do self-hosted password managers still create governance risk?

A: Self-hosting moves operational responsibility to the organisation, but it does not remove patching, monitoring, backup, or hardening requirements. If those controls are weak, the organisation now owns the failure path as well as the data. Self-hosting only improves security when the operating discipline is mature.

Q: How do teams decide whether a credential belongs in a password manager or a secrets manager?

A: Use the access pattern as the deciding factor. If a person copies and uses the credential interactively, it belongs in a password manager. If an application, pipeline, or service consumes it at runtime, it belongs in a secrets manager. Mixing the two creates poor lifecycle control and weak auditability.

Q: Who should own the risk when privileged access is checked out from a vault?

A: Ownership should sit with the team that governs the infrastructure being accessed, not only with the team that administers the vault. Privileged access introduces session evidence, approval, and expiry requirements that are separate from storage. Governance fails when vault administration is confused with access accountability.


Technical breakdown

Why password managers fail as secrets managers

Password managers are built for interactive human use, where a person unlocks a vault, copies a credential, and signs in to a system. Machine secrets behave differently. API keys, service account tokens, and certificates need programmatic retrieval, scoped environment boundaries, and rotation without manual copying. When those credential types are mixed into a human-first vault, audit trails become noisy, ownership is unclear, and lifecycle controls degrade. The product may still store the secret, but it no longer governs the access pattern that secret actually follows.

Practical implication: separate interactive human credentials from machine secrets before you design rotation or access review workflows.

Self-hosting does not eliminate identity risk

A self-hosted vault shifts trust from a cloud provider to the operator, but it does not remove the need for patching, hardening, monitoring, and backup discipline. If the same instance holds both human passwords and machine credentials, a compromise can expose multiple identity classes at once. The core risk is operational concentration: one control plane now governs several distinct credential lifecycles. That makes local deployment a governance choice as much as a technical one.

Practical implication: treat self-hosted vaults as security systems with full operational ownership, not as safer by default.

Why privileged access management is a separate control domain

Privileged access management is not just stronger password storage. It governs who can access critical infrastructure, under what conditions, for how long, and with what session evidence. Password checkout, approvals, and session recording are control patterns that do not map cleanly to general-purpose password management. If a team uses a vault to manage server, database, or cloud admin access, it risks obscuring whether the real requirement is credential storage, privileged session governance, or both. Those are related but not interchangeable controls.

Practical implication: classify each high-risk credential by use case before deciding whether it belongs in PAM, a secrets manager, or neither.


Threat narrative

Attacker objective: The objective is to turn a single vault compromise into broad credential exposure across human, machine, and privileged access domains.

  1. entry via repeated compromise of a password manager or its update and authentication surface, which can expose stored records and host metadata.
  2. credential access through plaintext retrieval, token forgery, or broad vault exposure when the tool is used beyond its intended human-password scope.
  3. impact through lateral movement into human accounts, machine secrets, and privileged infrastructure paths because one system held multiple identity types.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Passwordstate's real failure was category collapse, not a single bug. The article shows what happens when a password vault is stretched across three governance problems at once: human credentials, machine secrets, and privileged access. That mix invites control mismatch, because the access model that works for a person signing in does not govern service credentials or admin sessions cleanly. The practitioner takeaway is to classify the credential before you classify the tool.

Self-hosted does not mean self-protected. Passwordstate's on-premises story appealed to organisations with residency or cloud restrictions, but the security burden remained with the operator. When patching, monitoring, and incident response are slow or opaque, the trust argument for self-hosting collapses. The implication for practitioners is to treat hosting model as only one factor in governance, not a substitute for operational maturity.

Machine secrets hidden inside a human password vault create identity blast radius. Once API keys, tokens, and certificates live alongside employee passwords, one failure can expose multiple actor types at once. That is an NHI governance problem because the lifecycle expectations for a service credential are not the same as for a human password. Practitioners should read mixed vault usage as a signal that their identity architecture is already over-concentrated.

Separated control domains are now the baseline, not an optimisation. The article's replacement logic is sound because each problem needs different policy mechanics: password sharing for humans, secrets retrieval for workloads, and session governance for privileged infrastructure. The field should stop treating unified vaulting as a default maturity target. The practitioner conclusion is that identity segmentation is now a control requirement, not a design preference.

From our research:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
  • That reinforces the case for Guide to the Secret Sprawl Challenge, which helps teams separate detection from revocation and remediation across the secrets lifecycle.

What this signals

Secret sprawl is now a lifecycle problem, not just a discovery problem. If leaked secrets remain valid long after exposure, the programme must track revocation as a first-class control instead of treating detection as the finish line. In practice, that means measuring how quickly exposed credentials are invalidated, not just how often they are found.

The bigger signal for IAM teams is that vault sprawl and secret sprawl tend to converge when organisations use the wrong control for the wrong identity type. Human password workflows, workload secret workflows, and privileged session workflows should be separated in architecture and in ownership. A mixed vault is usually a sign that the identity model is already overloaded.

Identity blast radius is the concept to watch here: once a single control stores multiple credential classes, one compromise can spill across more than one programme boundary. That makes environment scoping, ownership, and offboarding more important than interface convenience. Teams that still treat passwords, tokens, and admin access as one population are carrying hidden governance debt.


For practitioners

  • Inventory the credential population by identity type Export the vault contents and tag each record as human password, machine secret, or privileged infrastructure access before choosing a replacement path. This is the fastest way to expose where the current tool is overextended and where lifecycle controls are missing.
  • Split replacement decisions by governance problem Use a password manager for human credentials, a secrets manager for API keys and tokens, and PAM for databases, servers, and elevated access. Do not buy one tool to solve all three problems, because the controls and audit needs are different.
  • Rotate anything stored during the compromise windows Treat the 2021, 2022, and 2024 to 2025 incident periods as exposure windows and rotate any credentials that could have been present then. Use the migration as a forcing function to eliminate stale secrets and orphaned accounts.
  • Hardening self-hosted deployments is non-negotiable If you keep a self-hosted vault, assign explicit ownership for patching, database maintenance, backup testing, SSL certificate renewal, and anomaly monitoring. Without those controls, self-hosting simply relocates risk instead of reducing it.

Key takeaways

  • Passwordstate's problem is not one defect but a repeated mismatch between the tool and the credential type being governed.
  • Operational separation matters because human passwords, machine secrets, and privileged access each need different controls, audit evidence, and lifecycle handling.
  • Teams should migrate by inventorying first, then splitting controls, rotating exposed credentials, and hardening any self-hosted replacement.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Addresses secret exposure and credential misuse across mixed vaults.
NIST CSF 2.0PR.AC-1Access control is central when one vault holds multiple identity types.
NIST Zero Trust (SP 800-207)PR.AC-4Least privilege and continuous verification matter for shared vault and PAM workflows.

Apply least-privilege access boundaries to vault, secrets, and admin-session workflows independently.


Key terms

  • Machine Secret: A machine secret is a non-human credential such as an API key, token, certificate, or service account secret used by software rather than a person. It needs programmatic retrieval, scoped access, and rotation that match the workload lifecycle, not a human password workflow.
  • Privileged Access Management: Privileged access management is the discipline for governing elevated access to systems that can change infrastructure, data, or security settings. It covers checkout, approval, session control, and evidence collection, which makes it distinct from ordinary credential storage or password sharing.
  • Identity Blast Radius: Identity blast radius is the amount of access exposure created when one control failure affects multiple identity types or environments. In mixed vault designs, a single compromise can touch human accounts, machine secrets, and admin paths at the same time, increasing both impact and cleanup effort.

What's in the full article

Infisical's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step migration guidance for moving credentials out of Passwordstate without losing inventory completeness.
  • Tool-by-tool decision criteria for choosing between a password manager, secrets manager, and PAM platform.
  • Product-specific implementation detail for Infisical, 1Password, Bitwarden, and cloud-native secrets managers.
  • Operational notes on exports, API limits, and rotation sequencing during a live migration.

👉 The full Infisical post covers the migration path, product comparisons, and operational gotchas in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org