Security13 min readUpdated April 2026

Password Compliance for Security Engineers: Proof, Certs, and Audit Evidence

Auditors don't take your word for it. They want evidence. This guide covers how security engineers generate machine-readable, cryptographically signed proof of password compliance.

The credential evidence gap

Security engineers know how to generate strong passwords. The harder problem — the one that surfaces in every SOC 2, HIPAA, and PCI-DSS audit — is proving that the right credentials were generated to the right standard at the right time.

The evidence gap is structural. Password generation happens at one point in time; audits happen months or years later. By the time an auditor asks "how do I know your admin passwords met HIPAA requirements when you created them?", the only honest answer for most teams is: "we had a policy, and we followed it." That is testimonial evidence, not technical evidence. It is the weakest class of audit evidence.

The gap is particularly acute for:

  • Service account credentials — created by engineers, stored in secrets managers, rarely documented with anything beyond the secret itself
  • Database and infrastructure passwords — generated once, rotated infrequently, with zero provenance records
  • CI/CD pipeline credentials — often created under time pressure, with no formal compliance review
  • Admin accounts — high-value targets that auditors examine closely but that rarely have credential-level documentation

PassGeni compliance certificates close this gap by creating a tamper-evident, machine-readable record at the moment of generation — before there is any need for evidence.

What auditors probe in security reviews

Understanding exactly what auditors ask helps security engineers prepare targeted evidence. For credential controls, experienced auditors in SOC 2, HIPAA, and PCI-DSS reviews typically probe:

  • Policy to technical enforcement gap: "You have a policy saying 16 characters minimum. Show me that your most sensitive systems actually enforce this." Screenshots of IdP settings are the standard answer, but they don't cover service accounts or individually provisioned credentials.
  • Credential provenance: "How do I know this specific admin credential was generated to policy?" Without a generation record, the answer is "we followed our policy" — unverifiable testimonial evidence.
  • Standard-specific compliance: "Your policy mentions PCI-DSS. Which credentials in your CDE have PCI-DSS documentation?" Most teams cannot answer at the credential level.
  • Entropy source: For FIPS 140-3 and FedRAMP audits specifically: "What random number generator was used to generate these credentials?" Most teams have never considered this question.

Compliance certificates address all four probe areas with a single artifact: the certificate documents the compliance standard, the exact generation parameters, the entropy source, and the precise timestamp of generation.

Service account compliance strategy

Service accounts represent the highest credential compliance risk in most organisations. They typically have no MFA, broad permissions, infrequent rotation, and zero documentation of how they were created. A robust service account compliance strategy:

  • Inventory first: Identify every service account in your environment. Common locations: Active Directory service accounts, cloud IAM service accounts, database users, CI/CD pipeline credentials, application API keys, Kubernetes service accounts.
  • Classify by compliance scope: Which service accounts have access to systems in scope for SOC 2, HIPAA, PCI-DSS, or ISO 27001? These are highest priority for certificate generation.
  • Rotate and certify: For in-scope service accounts, rotate credentials using the appropriate PassGeni compliance preset and capture the certificate URL. Store the URL as metadata alongside the credential in your secrets manager.
  • Implement a rotation schedule: Following certification, establish a rotation schedule. For FIPS/DoD environments: 90 days for privileged accounts. For SOC 2/ISO: annually or on engineer offboarding. Each rotation generates a new certificate, maintaining the audit trail.
  • Secrets manager metadata: In HashiCorp Vault: store the cert URL as a custom metadata field. In AWS Secrets Manager: add a tag passgeni-cert-url: https://passgeni.ai/cert/[id]. In Doppler: add the URL to the secret's note. This links the compliance evidence directly to the credential.
Production database credentialsFIPS 140-3 preset · 20+ chars · Rotate annually, certify each rotation
Cloud IAM service accountsApplicable standard preset · Certify at creation
CI/CD pipeline tokensNIST 800-63B minimum · Rotate on pipeline changes
Admin account passwordsFIPS 140-3 or SOC 2 preset · MFA mandatory · Certify at creation

The compliance certificate workflow

Integrating compliance certificate generation into standard credential provisioning workflows:

  1. Determine the applicable compliance standard — Is the credential for a HIPAA-covered system? PCI-DSS CDE? SOC 2 in-scope infrastructure? Select the most demanding applicable standard. FIPS 140-3 satisfies all others simultaneously.
  2. Generate via PassGeni with preset — Use the appropriate compliance preset. PassGeni validates generation parameters server-side and issues a generation_session_id (60-second expiry).
  3. Certify immediately — Use the generation_session_id to request the compliance certificate before the session expires. The certificate is issued, signed with ES256, and stored. You receive a cert_url.
  4. Store credential + cert URL together — The credential goes into your password manager or secrets manager. The cert URL goes into the associated metadata or documentation.
  5. Reference cert URL in runbooks and incident response plans — Add cert URLs to system documentation. During audits or incidents, you have immediate access to credential provenance.

The entire workflow from generation to certified storage adds approximately 90 seconds per credential. At scale, the API automates this entirely.

API and automation integration

For teams managing credentials at scale, the PassGeni API (Authority tier) enables automated compliance certificate generation as part of standard provisioning workflows:

  • Terraform provisioning: Call PassGeni API during resource provisioning to generate database passwords with compliance certificates. Store the cert_url as a Terraform output and tag it to the database resource.
  • Ansible playbooks: Include a PassGeni API call in credential provisioning playbooks. Store cert_url as a host variable for auditor access.
  • GitHub Actions / CI/CD: Generate service account credentials via PassGeni API during environment setup. Store cert_url as an environment variable or GitHub Actions secret annotation.
  • Kubernetes secrets: Add a passgenni-cert-url annotation to Kubernetes secrets created with PassGeni-generated credentials.
API endpoint reference: POST /api/generate → receives generation_session_id. POST /api/generate-certificate with generation_session_id → receives cert_id, cert_url, standards_met, entropy_bits. GET /api/audit → list all certificates for the authenticated user. All endpoints use Bearer token authentication for API key access.

Verifying and sharing certificates

PassGeni certificates are independently verifiable by any party. For security engineers who need to verify certificates (whether their own or certificates they've received from vendors):

  • Online verification: Navigate to the cert URL. The certificate page shows compliance claims, entropy, generation parameters, and current validity status in human-readable form.
  • Offline verification (Node.js): 
    import { jwtVerify, createRemoteJWKSet } from 'jose';
const JWKS = createRemoteJWKSet(
  new URL('https://passgeni.ai/.well-known/jwks.json')
);
const { payload } = await jwtVerify(token, JWKS, {
  issuer: 'passgeni.ai',
  algorithms: ['ES256'],
});
console.log(payload.compliance_standard); // e.g. 'HIPAA'
console.log(payload.standards_met);       // ['NIST-800-63B', 'HIPAA', ...]
console.log(payload.entropy_bits);        // e.g. 131.4
  • Auditor sharing: Share the cert URL directly. Auditors do not need a PassGeni account to view or verify. The certificate page is publicly accessible and shows all compliance claims with verification instructions.

Anomaly detection and abuse controls

PassGeni's security architecture includes controls relevant to security engineers operating in high-security environments:

  • Rate limiting: 10 certificate generation attempts per IP per hour (IP-level), 60 requests per user per minute (user-level), burst protection of 5 immediate then 1/second. Prevents automated abuse.
  • Generation session tokens: The generation_session_id expires in 60 seconds. This prevents certifying externally-created passwords and ensures certificates reflect genuine PassGeni generation events.
  • Anomaly threshold: Users generating more than 50 certificates in 24 hours trigger an anomaly flag in PassGeni's usage_events table. This is monitored and may trigger manual review for potential abuse.
  • Audit trail: Every certificate generation, certificate view, and API access event is logged in usage_events. For Authority tier teams, this provides a complete audit trail of certificate activity.
  • Revocation: Certificates can be revoked instantly. Revocation is reflected on the public certificate page — auditors checking the URL see the revocation status. Revocation is non-destructive: the historical record remains; the validity status changes.

Standards mapping for security engineers

Mapping compliance requirements to PassGeni presets and minimum parameters:

NIST 800-63B (general / government baseline)8 chars · No complexity required · Breach checking
HIPAA §164.312 (healthcare / ePHI systems)12 chars · Upper + lower + digit + special
PCI-DSS v4.0 Req 8.3 (payments / CDE)12 chars · 3 of 4 classes · ≥40 bits entropy
SOC 2 CC6.1 (SaaS / cloud services)16 chars · All 4 char classes
ISO 27001 A.9 (enterprise / international)14 chars · All 4 char classes
FIPS 140-3 (federal / DoD / FedRAMP)20 chars · All 4 char classes · FIPS entropy source · Provenance doc

When multiple frameworks apply, use the most demanding preset. FIPS 140-3 generates credentials that satisfy all other frameworks simultaneously.

Zero-knowledge in a security context

For security engineers evaluating PassGeni's trust model, the zero-knowledge architecture has specific security properties worth understanding:

  • No credential storage: Passwords are generated client-side using crypto.getRandomValues() and never transmitted to PassGeni's servers. A PassGeni data breach cannot expose any credential that was generated using the service.
  • Certificate content scope: The certificate JWT contains generation parameters — not the credential itself. An attacker who obtained the JWT payload would learn that a credential was generated with HIPAA-standard parameters, 12 characters, and specific character classes. They would learn nothing about the credential's content.
  • Signed, not encrypted: The certificate is ES256-signed but not encrypted. The payload is base64-encoded and publicly readable. This is intentional — auditors need to read compliance claims without decryption. Sensitive information (the password) is never included.
  • Key custody: The ES256 signing private key lives exclusively in PassGeni's server environment variables. It is never transmitted, logged, or exposed. Certificate verification uses only the corresponding public key at /.well-known/jwks.json.
  • Subpoena resistance: Because PassGeni never stores passwords, legal demands for credential disclosure cannot be satisfied — there is nothing to disclose. The database contains only JWT payloads (generation parameters) and compliance metadata, not credentials.

Security engineer's compliance checklist

Use this checklist when preparing for a compliance audit or implementing a new certificate-based credential management workflow:

  1. Audit current credential estate — identify every service account, admin account, and infrastructure credential in scope
  2. Classify by compliance requirement — which standards apply to which systems?
  3. Rotate any credential without provenance documentation using the appropriate PassGeni preset
  4. Collect compliance certificate URLs for all rotated and new credentials
  5. Store certificate URLs in secrets manager metadata alongside each credential
  6. Update runbooks and system documentation with certificate URLs
  7. Generate a written password policy using PassGeni's Policy Generator
  8. Capture IdP configuration screenshots or exports for each in-scope system
  9. Create a certificate registry (spreadsheet or CMDB field) mapping credentials to cert URLs
  10. Set calendar reminders for certificate expiry (1 year from issuance) — rotate and re-certify on schedule
  11. For Authority tier teams: configure API-based certificate generation in provisioning automation
  12. Test offline verification of at least one certificate using the JOSE library to confirm auditor workflow
Start with admin and service accounts. These are the credentials auditors probe most aggressively. Generate and certify them first with the appropriate compliance preset. Foundation plan includes 3 certificates/month free. Assurance ($19/month) provides unlimited certificates for full coverage.

Frequently asked questions

How do security engineers prove password compliance to auditors?

The gold standard is a cryptographically signed compliance certificate generated at the time of password creation. It documents the compliance standard, entropy, generation parameters, and entropy source in a tamper-evident JWT. PassGeni's ES256-signed certificates can be verified offline by any auditor using the published public key at passgeni.ai/.well-known/jwks.json.

What evidence do SOC 2 auditors accept for password controls?

SOC 2 CC6.1 auditors typically accept: a written password policy, technical enforcement evidence (screenshots of system configuration), access review logs, and breach notification records. For password generation specifically, a compliance certificate showing the standard, parameters, and entropy used is a strong control evidence artifact that replaces manual documentation.

Can a compliance certificate replace manual password policy documentation?

A compliance certificate supplements but doesn't fully replace written policy documentation. The certificate proves individual credential compliance; the written policy documents organisational intent, scope, and review process. Together, they form a complete audit package. PassGeni's Policy Generator creates the written policy; the certificate engine generates per-credential evidence.

What is a generation session token and why does it matter for security?

A generation session token (generation_session_id) is a short-lived server-signed JWT issued by PassGeni when password parameters are validated. The certificate endpoint only accepts this token — it cannot certify externally-created passwords. This architectural boundary ensures every PassGeni certificate truly reflects a PassGeni-generated credential, preventing fraudulent compliance claims.

How do I integrate compliance certificate generation into our security workflow?

For teams, integrate via the PassGeni API: POST /api/generate with compliance preset to get a generation_session_id, then POST /api/generate-certificate to receive the cert_url. Store the cert_url in your credential management system alongside the credential. During audits, share the cert_url — auditors can independently verify the ES256 signature without calling PassGeni's servers.

What is ES256 certificate signing and why is it used?

ES256 is the ECDSA P-256 signature algorithm, used by PassGeni to sign compliance certificates. It's asymmetric — signed with a private key only PassGeni holds, verifiable with a public key anyone can access. This means certificate authenticity can be verified without trusting PassGeni's servers to be honest or online. The public key is published at /.well-known/jwks.json per RFC 7517.

How should security engineers handle service account password compliance?

Service accounts are the highest-risk credential category — they typically have no MFA, broad access, and change infrequently. For each service account: generate via PassGeni with the appropriate compliance preset, get a compliance certificate, store the cert URL in your secrets management system (Vault, AWS Secrets Manager), and rotate annually or on engineer offboarding. The certificate creates an audit trail with zero extra effort.

What does zero-knowledge mean for security audit compliance?

PassGeni's zero-knowledge architecture means passwords are generated client-side and never transmitted to any server. For audit purposes, this is a feature — it means PassGeni cannot be subpoenaed for password data, cannot suffer a breach that exposes credentials, and cannot log passwords into audit trails. The certificate proves compliance without creating a new attack surface.

How can security engineers verify a PassGeni certificate is authentic?

Fetch the JWT from the cert URL, decode the payload, and verify the ES256 signature against the public key at passgeni.ai/.well-known/jwks.json using any JOSE library. This works offline — no network call to PassGeni required. The certificate's iss claim should be passgeni.ai, cert_version should be 2.0, and the exp claim should not be in the past.

What compliance frameworks accept PassGeni certificates as audit evidence?

PassGeni certificates are specifically designed to address the evidence requirements of SOC 2 CC6.1, HIPAA §164.312, PCI-DSS v4.0 Requirement 8.3, ISO 27001 Annex A.9, NIST 800-63B, and FIPS 140-3. Each certificate contains the specific compliance_standard claim and standards_met array, making it directly referenceable in audit documentation.

Related guides