Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passwords are everywhere: what IAM teams need to control now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Password Day underscores that the real problem is not password strength but uncontrolled access, because shared admin accounts, service accounts, embedded credentials, and spreadsheet-based secrets still create opaque risk, according to Netwrix. The practical shift is from better passwords to governed control over who can use, rotate, and revoke them.

NHIMG editorial — based on content published by Netwrix: My favorite day of the year: Password Day

Questions worth separating out

Q: How should security teams control shared passwords across users and systems?

A: Treat every shared password as a governed identity asset, not a convenience.

Q: Why do passwords become a bigger risk as organisations grow?

A: As organisations scale, ownership gets blurred and more people begin depending on the same secrets.

Q: What do teams get wrong about secrets stored in spreadsheets?

A: They assume the spreadsheet is temporary when it has already become part of the access control model.

Practitioner guidance

  • Inventory every non-human password path Identify shared admin accounts, service account passwords, embedded application credentials, and any temporary access spreadsheets that now function as permanent records.
  • Consolidate secrets into one governed vault Move credentials out of chat threads, spreadsheets, and personal storage into a single controlled system with explicit access rules, audit trails, and change history.
  • Tie rotation to operational ownership Require a documented recovery path before rotation so teams do not avoid changing credentials because a script, application, or integration might break.

What's in the full article

Netwrix's full blog post covers the operational detail this post intentionally leaves for the source:

  • How Netwrix frames workforce password management for shared credentials and everyday user access.
  • Operational examples of moving secrets out of spreadsheets, chat threads, and other informal stores.
  • The vendor's description of controlled vaulting, approvals, MFA, and rotation in one workflow.
  • The product-specific visibility model for auditing who accessed a credential and when.

👉 Read Netwrix's blog post on controlling passwords and shared secrets →

Passwords are everywhere: what IAM teams need to control now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Password control fails when ownership is informal: The central issue is not that passwords exist, but that many of them are created, shared, and maintained outside any durable governance boundary. That breaks accountability, makes rotation a business risk, and leaves offboarding dependent on memory instead of control. Practitioners should treat every shared password as an unmanaged identity object until proven otherwise.

A few things that frame the scale:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slow remediation turns exposure into persistence.

A question worth separating out:

Q: How do access reviews help with password and secret governance?

A: Access reviews expose whether a password or secret still has a legitimate owner, active use, and a valid business purpose. They work best when linked to rotation and offboarding, because review alone cannot fix a credential that still exists in multiple places. The goal is to confirm that access is both necessary and revocable.

👉 Read our full editorial: Password Day exposes the real identity risk: uncontrolled access



   
ReplyQuote
Share: