ELI5: What is Password Vaulting?
A password vault is a locked safe for important passwords. People check out a password when they need it and return it when done, and everything is tracked so you know who used what.
Definition
Password vaulting is a PAM control in which privileged account credentials are stored in a centralized, encrypted vault rather than being known to administrators or stored in scripts. Administrators access systems by checking out credentials from the vault for time-limited sessions, and the vault automatically rotates the credentials after each use, ensuring that no user retains persistent knowledge of privileged passwords.
Key Details
- Credentials are stored encrypted in the vault — administrators may never see the actual password
- Check-out process: administrator requests access → vault provides temporary credential → session is recorded → vault rotates credential after session ends
- Eliminates shared accounts and passwords stored in scripts, spreadsheets, or post-it notes
- All access is audited: who checked out which credential, when, and for how long
- Major vendors: CyberArk, BeyondTrust, Delinea (formerly Thycotic), HashiCorp Vault
Connections
- Parent: privileged-access-management — password vaulting is a core PAM control
- See also: credential-rotation