Credentials

Short Definition

Credentials are your digital identity proof — passwords, API keys, tokens, certificates. They tell systems "yes, this is really you." Stealing credentials is like stealing someone's keys: you get access to everything they had access to.

Full Definition

Credentials are information used to authenticate and authorize access to systems, applications, or data.

Types:

User credentials:

• Username + password
• PIN codes
• Security questions

Programmatic credentials:

• API keys
• Access tokens
• OAuth tokens
• JWT (JSON Web Tokens)

Cloud credentials:

• Access key + Secret key (AWS)
• Service account keys (GCP)
• Connection strings

Certificates:

• SSL/TLS certificates
• Client certificates
• Code signing certificates

Session-based:

• Session cookies
• Session tokens
• Bearer tokens

Why It Matters

• Primary target of attackers
• Bypasses most security controls if stolen
• Often hardcoded or poorly stored
• Single set of credentials can compromise entire infrastructure
• Credential theft is easier than exploiting vulnerabilities

How Attackers Use It

Methods of stealing credentials:

1. SSRF to metadata service:

1# Steal AWS credentials
2url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/role"
3→ Returns access keys

2. GitHub scanning:

1# Automated tools search for:
2aws_access_key_id = "AKIAIOSFODNN7EXAMPLE"
3aws_secret_access_key = "wJalr..."
4DATABASE_URL = "postgres://user:pass@host/db"

3. Environment variables:

1# Exposed in errors, logs, /proc/
2env | grep -i secret
3env | grep -i password

4. Traffic interception:

1# Unencrypted HTTP
2POST /login
3username=admin&password=secret123

5. Credential stuffing:

1# Use leaked passwords from other breaches
2# Try same password on multiple services

What attackers do with stolen credentials:

• Access cloud resources
• Make API calls
• Lateral movement
• Privilege escalation
• Data exfiltration
• Create backdoors

How to Detect or Prevent It

Prevention:

Storage:

• Never hardcode in source code
• Use secret management (Secrets Manager, Vault)
• Environment variables (with proper protection)
• Encrypted configuration files

Transmission:

• Always use HTTPS/TLS
• No credentials in URLs
• Proper session management

Access:

• Rotate regularly (90 days max)
• Use temporary credentials when possible
• Apply least privilege
• Enable MFA where possible

Code example (good practices):

1import os
2from cryptography.fernet import Fernet
3
4# Load from environment
5api_key = os.getenv('API_KEY')
6
7# Or encrypted config
8def load_encrypted_config():
9    key = os.getenv('ENCRYPTION_KEY')
10    cipher = Fernet(key)
11    with open('config.encrypted', 'rb') as f:
12        return cipher.decrypt(f.read())

Detection:

• Monitor for credential use from unusual:
  • Geographic locations
  • IP addresses
  • Time of day
  • Access patterns
• Alert on new credential creation
• Scan code repositories for leaks
• Monitor dark web for leaked credentials
• Track failed authentication attempts

Tools:

• GitGuardian (scan repos)
• TruffleHog (find secrets in git history)
• AWS IAM Access Analyzer
• Have I Been Pwned (check if leaked)

Common Misconceptions

• "Deleted from code = safe" - Git history keeps them
• "Private repo = secure" - Repos get compromised
• "Complex passwords are enough" - Need proper storage too
• "Temporary credentials can't cause damage" - Valid while they last
• "MFA protects everything" - Doesn't protect API keys

Real-World Example

Capital One - Credential Theft via SSRF

1# Step 1: SSRF to metadata
2curl http://169.254.169.254/.../iam/security-credentials/WAF-Role
3
4# Step 2: Got credentials
5{
6  "AccessKeyId": "ASIA...",
7  "SecretAccessKey": "wJal...",
8  "Token": "..."
9}
10
11# Step 3: Used credentials
12aws s3 ls --profile stolen
13→ Listed 700+ buckets
14
15# Step 4: Downloaded data
16aws s3 sync s3://sensitive-data ./
17→ 100M+ records stolen

Uber - GitHub Credential Leak (2016)

1# Private repo contained:
2AWS_ACCESS_KEY_ID = "AKIA..."
3AWS_SECRET_ACCESS_KEY = "..."
4
5# Attacker:
61. Gained access to private repo
72. Found credentials in code
83. Used to access S3 bucket
94. Downloaded 57M+ user records

CodeCov Supply Chain Attack (2021)

1# Attacker modified script
2# Script collected credentials from CI/CD:
3- Environment variables
4- Cloud credentials
5- API keys
6- Database passwords
7
8# Exfiltrated to attacker server
9# Affected hundreds of companies

Related Terms

Authentication, Access Key & Secret Key, API, IMDS, Token