TL;DR: Password manager risk is not just about storing secrets, but about how key generation, revocation, offline access, metadata exposure, and phishing resistance shape the trust model, according to PassBolt. For IAM teams, the lesson is that collaboration-friendly secrets handling still needs lifecycle control, least privilege, and explicit residual-risk management.
NHIMG editorial — based on content published by Passbolt: It’s Time for a New Password Manager
By the numbers:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
Questions worth separating out
Q: How should security teams manage secrets when the password is not the decryption key?
A: Treat password compromise and secret compromise as separate events.
Q: Why do granular permissions matter in password and secret management?
A: Granular permissions reduce blast radius by ensuring people can only decrypt the specific secrets they need.
Q: What do security teams get wrong about metadata in encrypted secret stores?
A: They often assume encryption makes the surrounding record harmless.
Practitioner guidance
- Separate authentication from decryption decisions Require designs where a stolen passphrase alone cannot unlock stored secrets.
- Test revocation at the data layer Verify that removing access actually deletes or invalidates the encrypted secret for the former user.
- Review metadata leakage in secret stores Inventory what remains searchable or visible around encrypted objects, including names, URLs, and descriptions.
What's in the full article
Passbolt's full article covers the operational detail this post intentionally leaves for the source:
- How its key management model is implemented across browser, device, and server boundaries
- The specific controls behind granular sharing, revocation, and offline mode handling
- The security whitepaper and audit posture that underpin its transparency claims
- The residual-risk discussion around metadata, exports, and human error scenarios
👉 Read Passbolt’s analysis of password manager security and secret governance →
Password manager security model: what IAM teams should reconsider?
Explore further
Secrets security fails when the password becomes the only gate: Passbolt’s architecture is built around the premise that authentication and decryption should not be the same event. That matters because a compromised passphrase should not automatically expose the underlying secret store. The broader lesson for identity governance is that single-factor secret dependence creates an oversized blast radius when the credential is reused or phished. Practitioners should treat password independence as a baseline design requirement, not an optional enhancement.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to the State of Secrets Sprawl 2026.
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
A question worth separating out:
Q: Who is accountable when offline access increases secret exposure?
A: The identity and security owners who approved offline access are accountable for the logging and audit trade-off. Offline capability can be valid, but only when it is intentionally enabled, tightly scoped, and monitored. If it is the default, governance has already accepted less visibility than many programmes realise.
👉 Read our full editorial: Passbolt’s security model shows where password managers still fail