Get a Pentest and security assessment of your IT network.

Request a quote
Cyber Security

Secure Code Credentials

January 3, 2026

TL;DR

Never hardcode passwords or API keys directly into your code. Use environment variables, a secrets manager (like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault), or dedicated configuration files that are not checked into version control.

Why You Shouldn’t Hardcode Credentials

Hardcoding credentials is a major security risk:

  • Exposure: If your code repository is compromised (even accidentally through public commits), attackers gain immediate access to sensitive information.
  • Difficulty Changing: Updating passwords or keys requires modifying the codebase and redeploying, which is slow and error-prone.
  • Compliance Issues: Many security standards prohibit storing credentials in code.

How to Store Credentials Securely

  1. Environment Variables
    • What they are: Key-value pairs set outside of your application’s code, accessible at runtime.
    • How to use them: Most programming languages provide ways to access environment variables. 
      # Python example
      import os
api_key = os.environ.get('MY_API_KEY')
password = os.environ.get('DATABASE_PASSWORD')
    • Setting them: How you set environment variables depends on your operating system and deployment environment (e.g., using export in Linux/macOS, or setting them through a control panel in cloud providers).
  2. Secrets Managers
    • What they are: Dedicated services for storing and managing sensitive data like passwords, API keys, and certificates. They offer features like encryption, access control, auditing, and versioning.
    • Popular options: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager.
    • How to use them (example with AWS Secrets Manager):
      1. Store your secret in AWS Secrets Manager.
      2. Grant your application the necessary permissions to access the secret.
      3. Use the AWS SDK to retrieve the secret at runtime. 
        # Python example using boto3
        import boto3

client = boto3.client('secretsmanager')
secret_name = 'my-database-credentials'
response = client.get_secret_value(SecretId=secret_name)
secret = json.loads(response['SecretString'])
password = secret['password']
  3. Configuration Files (with caution)
    • What they are: Separate files containing application settings, including credentials.
    • Important: Never commit these files to version control! Use a .gitignore file to exclude them. 
      # .gitignore example
      config.ini
secrets.json
    • Encryption: If you must use configuration files, encrypt them at rest and in transit.

Best Practices

  • Least Privilege: Grant your application only the minimum necessary permissions to access credentials.
  • Rotation: Regularly rotate passwords and API keys. Secrets managers often automate this process.
  • Auditing: Monitor access to sensitive data for suspicious activity.
  • Avoid Default Credentials: Never use default usernames or passwords provided by vendors.
  • Use a cyber security scanner: Regularly scan your code and infrastructure for exposed credentials.
4
Share:
Related posts
Cyber Security

Zip Codes & PII: Are They Personal Data?

January 3, 2026
Cyber Security

Zero-Day Vulnerabilities: User Defence Guide

January 3, 2026
Cyber Security

Zero Knowledge Voting with Trusted Server

January 3, 2026
Cyber Security

ZeroNet: 51% Attack Risks & Mitigation

January 3, 2026