Credential Security
Credential security is the practice of protecting authentication secrets — passwords, tokens, API keys — throughout their lifecycle: from secure generation to compliant storage, rotation, and revocation.
Credential security refers to the practices, controls, and technologies used to protect authentication secrets — including passwords, API keys, tokens, and certificates — throughout their full lifecycle: generation, storage, transmission, use, rotation, and revocation.
The credential lifecycle
Secure credential management requires controls at every lifecycle stage. Generation: credentials must be produced by a CSPRNG (not typed, not incremented from a previous credential). Storage: credentials must be hashed with a memory-hard algorithm (Argon2id, bcrypt, scrypt) with per-credential salts. Transmission: credentials must only travel over TLS 1.2+ connections. Rotation: credentials must be rotated upon compromise suspicion, not on a rigid schedule (per NIST 800-63B). Revocation: compromised credentials must be invalidated immediately and the event logged.
CSPRNG: why generation method matters
Credentials generated by humans or simple random number generators are predictable. A CSPRNG (Cryptographically Secure Pseudorandom Number Generator) — such as the Web Crypto API's crypto.getRandomValues() used by PassGeni — produces outputs that are computationally indistinguishable from true randomness. FIPS 140-3 and NIST SP 800-90A specify approved DRBG (Deterministic Random Bit Generator) algorithms for credential generation in federal systems.
Credential exposure: breach databases
Even cryptographically generated credentials can become compromised through data breaches. PassGeni's Breach Checker uses the HaveIBeenPwned API via k-anonymity — sending only the first 5 characters of the SHA-1 hash, never the full credential — to check whether a password has appeared in any known breach database. Any credential that appears in a breach database should be treated as compromised regardless of its entropy score.
Service account credentials
Service accounts present a distinct credential security challenge: they are shared, rarely rotated, and often excluded from standard password policies. PCI-DSS Requirement 8.2.2 prohibits shared generic accounts for CDE access. SOC 2 auditors scrutinise service account credential management. Best practice: generate service account credentials with a dedicated CSPRNG tool, store them in a secrets manager, rotate them after personnel changes, and certify them for audit evidence.
Frequently asked questions
What makes a credential 'secure'?
A secure credential has four properties: generated by a CSPRNG (unpredictable), sufficient entropy (≥60 bits minimum), not present in any breach database, and stored using a memory-hard hashing algorithm. PassGeni's analysis tools check all four properties.
What is the difference between a credential and a password?
A password is a specific type of credential — a human-memorisable secret. Credentials is the broader category: passwords, API keys, tokens, certificates, and biometric templates. Compliance frameworks use 'credentials' when the requirement applies to all authentication secrets, not just passwords.
How often should credentials be rotated?
NIST SP 800-63B explicitly discourages mandatory periodic rotation, which causes users to make predictable substitutions. Rotate credentials when: a breach is suspected, a team member with access departs, a system is compromised, or a security audit finds the credential in breach databases. Rotate automatically on compromise detection.
What hashing algorithm should be used to store passwords?
Argon2id is the NIST-recommended algorithm (SP 800-63B). bcrypt and scrypt are also acceptable. MD5 and SHA-1 are not acceptable for password storage — they are fast hashes, not memory-hard, and are vulnerable to GPU-based brute-force attacks.
Generate a compliant credential.
Free. Client-side. Zero storage.