
A Perspective on Modern Credential Management

Judith Kahrer
· 3 min readKey Takeaways
Passwords are still in widespread use — despite modern alternatives, they remain a core credential management challenge today.
Compromised passwords have cascading risk — since users reuse credentials across services, a single leak can propagate to unrelated systems.
Salting and hashing are essential — passwords must be securely stored to protect against database compromises.
Centralize credential management — rather than each application maintaining its own credential store, use a central IAM solution (e.g., an OAuth authorization server) for consistent policy enforcement, storage, and auditing.
Migration doesn't require a big-bang switch — transitions can happen gradually, one user or system at a time, while preserving business continuity.
Decouple credentials from account data — usernames, emails, and roles should be managed separately from passwords to ease integration with legacy systems and support multiple data sources/hashing algorithms.
Decoupling enables flexibility — supports multiple policies (technical or compliance-driven, e.g., GDPR, HIPAA) and multitenant or per-application differences within a single deployment.
Three key takeaways: passwords are still alive, centralize password management, and decouple it from account management.
Long-term goal: modernize authentication — reduce reliance on passwords in favor of MFA and passwordless methods.
On this page
Managing Password Credentials
Credential management is a realm within Identity and Access Management (IAM) that focuses on the lifecycle of credentials, from provisioning, audits, and updates to deprovisioning and monitoring. In its essence, credential management is about keeping user credentials safe during transit and at rest to avoid security incidents. When it comes to passwords, credential management typically involves enforcing password complexity and password strength policies to minimize the risks of brute-force attacks and ensure secure password storage.
When passwords fall into the wrong hands, malicious actors can take over accounts and gain access (on the wrong premises, though). This often propagates to other, even unrelated, systems because users reuse the same credentials for different services. To mitigate the risk of compromised databases and password leaks, it’s crucial to salt and hash passwords before storing them in a data store.
An initial strategy for credential management could — and should! — be to minimize the places where passwords are stored. Instead of each application maintaining its own separate user directory and credential store, install a central credential management or IAM solution, such as an OAuth authorization server, to handle passwords consistently.Â
Moving to Central Credential Management
Centralization improves security hygiene by ensuring all applications follow the same rules. Commonly, centralization concerning credential management implies a single place for enforcing (password) policies, securely storing credentials (passwords), and monitoring and auditing events.Â
Centralizing credentials should not mean copying all data to a central store and abandoning all individual credential data stores at once. It should be possible to perform any transition — whether from multiple systems to a single one or from a legacy to a modern solution — while keeping business continuity and user experience in mind.Â
The Basis for Peaceful Transition
An IAM system should decouple credentials from user accounts to smooth the transition to centralized credential management. This means the system should manage account-related data such as usernames, emails, and user roles separately from passwords. As part of that, an IAM system should support various data sources and hashing algorithms with the possibility of more or less fully customizing integrations with existing password stores. This is important so that the IAM system can integrate with the variety of solutions that heterogeneous or legacy systems imply.Â
An IAM system should support retrieving passwords from multiple data sources and select the appropriate source depending on the use case such as the application the user interacts with. It can then store the password in the central data store using a secure algorithm — providing a unified approach and possibly replacing vulnerable implementations. In this way, you can integrate with the legacy systems and move users to the central system one at a time when improving credential management.
type: embedded-entry-inline id: 13UobMQfJjBjIJciPxJfia
Flexibility via Decoupling
Decoupling credential management from account management provides flexibility for numerous use cases beyond credential transition. For instance, the ability to validate and store passwords using various methods allows for implementing multiple policies within the same system. Such policies can relate to different needs, such as addressing specific technical requirements or meeting compliance standards (e.g., GDPR, HIPAA).Â
Policies commonly vary from organization to organization. With dedicated credential management separated from account management, an IAM system can handle multitenant or even application-related differences within the same deployment. Thus, it provides an organization the freedom and flexibility to implement a solution that fits its needs for modern, secure credential management.
Three Points to Remember
From this blog post, you should take away three main points for modern credential management:
Passwords are still alive.
Centralize password management for improved security and compliance.
Decouple password management from account management to enhance flexibility.
Passwords are still in use and you have to manage them today as best as you can. The best way is to centralize password management. As part of that effort, choose an IAM system that decouples credential management from account management so that it can meet various requirements. In the long run, update your credential management strategy to focus on modernizing the credentials and authentication methods. Rely less on passwords and instead incorporate alternative authentication techniques such as multi-factor authentication (MFA) and passwordless authentication.
Related resources
Frequently Asked Questions
If passwords are risky, why not just eliminate them entirely right away?
Passwords are still widely in use across existing systems, so the practical near-term approach is to manage them as securely as possible (centralization, salting/hashing) while gradually shifting toward MFA and passwordless authentication as a long-term strategy, rather than an immediate wholesale replacement.
Does centralizing credential management mean migrating all data to one system immediately?
No — centralization doesn't require copying all data to a central store and abandoning existing systems at once. It should be possible to transition gradually, whether from multiple systems to one, or from legacy to modern solutions, while maintaining business continuity and user experience.
Why should credential management be decoupled from account management?
Decoupling means passwords are managed separately from account-related data (like usernames, emails, and roles). This makes it easier to integrate with various legacy data sources and hashing algorithms, support multiple policies, and migrate users to a central system incrementally rather than all at once.
Can a single IAM system support different password policies for different applications or tenants?
Yes — because credential management is decoupled from account management, an IAM system can handle multitenant or application-specific policy differences (e.g., different compliance requirements like GDPR or HIPAA) within the same deployment.