A secret at cyber security means any confidential information used to authenticate, authorise or secure access to systems, data or services. If compromised, it poses a direct security risk, which may result in unauthorised access, data leakage or operational disruption.
Common examples
- 🔑 Passwords and secret phrases (passphrasespassphrases in English)
- 🔐 Cryptographic keys (private or symmetrical)
- 🪪 Access tokens (API tokensOAuth tokens)
- 📇 Digital certificates and SSH keys
- 🔏 Keys to encryption databases
Features
- Confidentiality Must never be displayed in clear view.
- Integrity Must be protected against unauthorised modification.
- Traceability Access must be logged and controlled.
- Lifecycle Regular rotation and revocation if compromised.
Best practice
- ✅ Use safes of secrets (Hashicorp Vault, AWS Secrets Manager, Azure Key Vault).
- ✅ Never unencrypted storage in code, configuration files or emails.
- ✅ Apply the principle of the least privilege for access.
- ✅ Implementing a automatic rotation (e.g. every 90 days)
Associated risks
- � Leak due to human error (accidental commit in a public depot)
- ⚠️ Brute-force attacks or social engineering
- ⛔ Use of default or weak secrets
Reference standards
- NIST SP 800-63B (Authentication management)
- ISO/IEC 27001 (Control A.9.4.1 on the access management)
