Compromised credential screening checks new or changed secrets against known breach corpuses before they are accepted. In practice, it prevents users and service owners from choosing passwords that have already been exposed, which lowers account takeover risk and reduces the chance that an identity programme certifies a broken secret.
Expanded Definition
Compromised credential screening is a control step that rejects a secret when it matches, or strongly resembles, an entry from a known breach corpus before the credential is accepted. In NHI programs, the term applies to passwords, API keys, tokens, certificates, and other secrets that can be provisioned for people, workloads, or agentic software. It is not the same as ordinary password complexity enforcement: a credential can be long and complex while still being useless because it has already been leaked or reused.
Usage in the industry is still evolving for workload identities, because some teams screen only user passwords while others extend the same check to service account secrets and bootstrap credentials. The operational goal is simple: prevent the organisation from certifying a broken secret at the moment of creation or rotation. For standards context, NIST SP 800-63 Digital Identity Guidelines establishes identity assurance principles that support rejecting known-compromised authenticators, while OWASP frames the risk more directly in the OWASP Non-Human Identity Top 10. The most common misapplication is treating a breach check as a one-time password policy feature, which occurs when organisations fail to screen rotated secrets, service accounts, and agent credentials at issuance.
Examples and Use Cases
Implementing compromised credential screening rigorously often introduces latency and dependency on an external breach corpus, requiring organisations to weigh stronger account protection against operational friction during sign-up, reset, and secret rotation.
- A developer creates a new service account, and the platform rejects the API key because it appears in a breach corpus tied to prior public repository exposure.
- An identity workflow screens a human password reset against known leaks so that reused credentials are blocked before the account is reactivated.
- A CI/CD pipeline rotates deployment credentials and checks the replacement secret before storing it, preventing a compromised token from being reintroduced during automation.
- A security team uses findings from the Guide to the Secret Sprawl Challenge to justify extending screening beyond users into machine identities.
- An organisation aligns its screening policy with guidance in the OWASP Non-Human Identity Top 10 while using Ultimate Guide to NHIs — Static vs Dynamic Secrets to decide which credentials must be screened at issuance and which should be replaced with ephemeral alternatives.
Why It Matters in NHI Security
Compromised credential screening matters because a leaked secret is often still technically valid, which means the identity system can unknowingly grant access to an attacker. In NHI environments, that is especially dangerous: service accounts, CI/CD runners, and AI agents often authenticate non-interactively, so a compromised secret can be exploited faster than a human team can notice. NHIMG research shows that 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which increases the odds that screening will need to catch credentials already exposed elsewhere.
Used well, screening turns secret issuance into a trust decision instead of a formatting check. Used poorly, it creates a false sense of safety when a breached password or token is accepted because the control only checks length or character classes. The threat is reinforced by breach patterns documented in the 52 NHI Breaches Analysis and in the 2024 Non-Human Identity Security Report. Organisations typically encounter the consequences only after an account takeover, token replay, or unauthorized workload access, at which point compromised credential screening becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret hygiene and preventing acceptance of exposed NHI credentials. |
| NIST SP 800-63 | 5.1.1 | Supports rejecting weak or known-compromised authenticators during enrollment and reset. |
| NIST CSF 2.0 | PR.AA-01 | Identity assurance depends on validating authenticators before access is granted. |
Add breach screening to credential lifecycle controls so compromised secrets never become active.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
