What is a Secret in Cybersecurity?
A secret is any sensitive credential or value (password, key, token, certificate) that grants access. Learn what counts and how to manage them.
What is a Secret in Cybersecurity?
Definition
A secret is any sensitive credential or value that grants access to a system, service, or data. Secrets must be protected — disclosure compromises confidentiality, integrity, or authenticity.
Secrets include:
- Passwords (user, service account).
- API keys.
- OAuth client secrets.
- OAuth tokens (access / refresh).
- Service account keys (JSON, PEM).
- Database connection strings.
- Encryption keys (symmetric, asymmetric private).
- Certificates with private keys.
- SSH private keys.
- Webhook signing secrets.
- HMAC keys.
- PATs (Personal Access Tokens).
- Cryptographic signing keys.
- JWT signing secrets.
- Kerberos keys / krbtgt.
In simple terms:
A secret is anything that, if known by an adversary, gives them authority they shouldn't have.
Why It Matters
- Secrets are the fuel for most attacks (90% of breaches involve stolen credentials).
- Secrets sprawl (across code, configs, vaults, CI, cloud, devices) is the modern norm.
- Secret leakage is one of the top causes of breaches.
- Secrets management is foundational identity / NHI hygiene.
Types of Secret
Authentication Secrets
- Passwords.
- API keys.
- OAuth secrets.
- Service account keys.
Encryption Secrets
- Symmetric keys (AES).
- Asymmetric private keys (RSA, ECDSA).
- Master keys (KEKs).
- Data encryption keys (DEKs).
Signing Secrets
- JWT signing keys.
- Webhook HMAC secrets.
- Code-signing private keys.
Session Secrets
- Session cookies.
- CSRF tokens.
Federated Secrets
- SAML signing keys.
- OIDC client secrets.
Configuration Secrets
- DB connection strings.
- SMTP credentials.
- Third-party integration secrets.
Where Secrets Live (and Leak)
Where they should live
- Secret managers (Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager).
- HSMs (high-value).
- Hardware tokens / TPMs.
- Secure enclaves.
Where they often leak
- Source code (committed to repo).
- Config files (committed).
- Environment variables (in logs, in CI output).
- Slack / email / chat.
- Docker images / container registries.
- Shared drives.
- Backup files.
- Browser localStorage.
- Mobile app binaries.
- Memory dumps.
- Vendor / partner systems (supply-chain leaks).
Common Risks
1. Hardcoded in Code
- Most common leak vector.
- Searchable in repo history.
2. No Rotation
- Same secret for years.
3. Over-Privileged Secret
- Secret unlocks too much.
4. Shared Across Apps / People
- Compromise blast radius amplified.
5. No Audit / Monitoring
- Don't know if/when secret used.
6. Long-Lived
- Static secrets vs short-lived alternatives.
7. Distributed without Vault
- Copy-pasted into 50 places.
8. Vendor Breach
- Vendor leaks your secrets.
9. Insider Theft
- Departing employee takes secrets.
10. Weak Generation
- Predictable, low-entropy secrets.
Real-World Examples
1. GitHub Secret Scanning Catches Leak
OpenAI key committed; GitHub secret scanning notified within minutes; rotated; no abuse. Mitigation: enable secret scanning + push protection.
2. Hardcoded DB Password
Years-old script with hardcoded prod DB password; script copied to dev laptop; laptop stolen → breach. Mitigation: secret manager + rotation + access control.
3. Webhook Secret Reuse
Same webhook secret across multiple services; compromise of one revealed all. Mitigation: per-service secrets + vault.
4. CI Environment Variable Logged
CI debug output dumped env vars including secrets to log; log retained; analyst could see secrets. Mitigation: masked secrets in CI; log scrubbing.
5. Backup Containing Secrets
Backup of config with secrets in plaintext stored in S3 with broad ACL. Mitigation: encrypt backups; restrict ACL; reference vault, not embed.
Best Practices
Discovery
- Continuous secret scanning (code, CI, configs, vaults, cloud).
- Inventory of all secrets and locations.
Storage
- Centralized secret manager.
- HSM for highest-value secrets.
- Secure enclave for client / mobile.
Generation
- High-entropy random.
- Standard libraries / vault-issued.
Distribution
- Pull at runtime from vault.
- Workload identity federation where possible (no secret to distribute).
- Secret refs in config, never embedded.
Rotation
- Automated where possible.
- Scheduled rotation.
- On-demand rotation on suspicion.
Access Control
- Least privilege on secret access.
- Per-secret ACL.
- Just-in-time elevation.
Audit
- Every secret read logged.
- Anomaly detection on secret access.
Lifecycle
- Tied to NHI lifecycle.
- Decommission with workload.
Incident Response
- Rotation playbook.
- Tested.
- SLA for rotation post-incident.
Checklist
- Continuous secret scanning?
- Centralized secret manager?
- HSM for high-value?
- No hardcoded secrets in code / configs?
- Workload identity federation where possible?
- Secret refs (not embedded values) in config?
- Automated rotation?
- Per-secret ACL + least privilege?
- Audit on secret access?
- Anomaly detection?
- Rotation playbook + SLA?
- Backups encrypted; secrets not in backups?
- Logs scrubbed of secrets?
How Forestall Helps
Forestall correlates secrets, NHIs, and permissions — surfacing high-impact leakage risks and tracking rotation / decommissioning.
Frequently Asked Questions
What's the difference between a secret and a password?
Password is one type of secret (used for human/account auth). Secrets is the broader category.
Should secrets ever be in code?
No — always reference from a secret manager.
Can encrypted secrets in code be safe?
The decryption key has to live somewhere — and that's then your real secret. Use a secret manager.
How often should I rotate?
Depends on type. JWT signing keys: months. API keys: quarterly. DB passwords: quarterly. PATs: monthly. After incident: immediately.
What about secret detection in PRs?
Use push protection (GitHub, GitLab) — block commits with detected secrets before merge.
Conclusion
Secrets are everywhere in modern systems — and leakage is the leading cause of breaches. Discover, centralize in vaults, eliminate where possible (federation), rotate routinely, audit access, and respond fast to incidents. With disciplined secrets management, you remove the most common attacker entry point and dramatically reduce identity-based breach risk.
Find every secret in your environment — and govern them.
Forestall discovers secrets in code, configs, and vaults; tracks rotation and exposure.