Body
In the context of information security, credentials help authenticate users for the purpose of accessing secured accounts or tools. This article will focus primarily on two types of credentials:
- Login credentials, usually a username and password, that enable a user to log in to an account
- API credentials, including API keys, which are required to interact with an Application Programming Interface (API)
Though passwords and API keys are used for different purposes, they should be treated similarly. Essentially, you should see them as secrets that could cause a great deal of harm if they fell into the wrong hands. Much like your social security number and credit card information, you want to treat credentials like passwords and API keys as sensitive information--because they are.
99% of the time, you should not share your credentials with others. However, in some cases, you may need to do so: for example, for team access to a shared group account. It may be tempting to write a password on a sticky note and hide it somewhere in the office. However, this is NOT a secure method for password sharing. In the modern world of constant account compromises, information leaks, and other cyber incidents, you need to exercise caution when sharing credentials with others. Much like you wouldn't ship a glass dish without wrapping it securely in bubble wrap or other protective material, you should not share credentials without giving some thought to it first.
This article highlights the do's and don'ts of sharing credentials like passwords and API keys.
Do's
Don'ts
- Do use a secure channel → Share credentials only through encrypted methods (e.g., password managers, encrypted messages, or secure vaults).
- Do set role-based access → Grant the minimum necessary permissions rather than full access.
- Do use temporary or expiring credentials → Whenever possible, share short-lived tokens instead of permanent keys.
- Do document responsibly → Store credentials in a secure, access-controlled repository, not in public docs or chat threads.
- Take advantage of Dartmouth approved tools for credential management, including Bitwarden and CyberArk.
- Do enable multi-factor authentication (MFA) → Add an extra security layer for accounts where possible.
- Do rotate credentials regularly → Update and replace old shared keys/passwords to reduce risk of misuse.
- Do revoke access when no longer needed → Remove credentials immediately if a person leaves a project or no longer requires them.
- Don’t share via email, chat, or plain text, even in a message sent only to yourself → These can be intercepted or accidentally forwarded.
- Don’t hardcode passwords or API keys → Never put them directly in code repositories, scripts, or config files without protection.
- Don’t reuse passwords across systems → Each account/system should have a unique password.
- Don’t store credentials in unencrypted files → Avoid saving them in spreadsheets other documents, even if the file is password protected.
- Don’t give unnecessary access → Avoid sharing credentials with people who don’t truly need them.
- Don’t ignore suspicious activity → If credentials may have been exposed, rotate them immediately.
- Don’t delay revoking old keys → Expired or unused credentials should be deleted promptly.