What is a Password Vault?

A password vault is a system that stores passwords for various privileged accounts in a privileged account management system. Typically, passwords for privileged accounts are automatically changed (rotated) several times every day, and the current passwords are stored in the vault.

Password vaults are key element of traditional privileged access management (PAM). Many password vaults have evolved from securing passwords to storing other types of secrets as well, including SSH keys, API tokens and certificates. These are often called secrets vaults.

The need for password vaults emerged when the use of system or domain level access credentials started becoming more commonplace in organizations. These credentials allow modifying critical components of the business infrastructure, including directory services (like Active Directory), system databases or the network infrastructure. Vaulting privileged credentials with a high-impact and risk became a necessity, since these credentials were often shared without proper oversight. 

However, other technologies have emerged to rival password vaults. In an ephemeral access paradigm, there is no need for storing, vaulting or rotating passwords or other types of privileged credentials at all. In contrast, all secrets needed to establish a privileged connection are contained in an ephemeral certificate that is created on the fly at the time of establishing the connection. When the connection is made, the certificate - and the secrets within - simply expire. The privileged user never sees or handles the secrets, mitigating credential sharing risks. At the same time, the need to manage, vault or rotate credentials disappears as well.

In most cases, organizations use a hybrid model where they vault the secrets they need to while using a certificate based and passwordless authentication when viable. 

Learn more about how to manage your secrets in a hybrid way with PrivX Secrets Vault.

 

New call-to-action