Shared secrets are a piece of data that is known to two or more parties. They are most commonly recognized in the form of passwords, which are known to both service provider and end user. Shared secrets cam be plaintext or another piece of data so long as they are known to the two or more distinct parties. Commonly used in cryptography, a shared secret can be used to decrypt information used in symmetric encryption algorithms, by all parties. Mishandling of shared secrets is a leading cause of identity theft, financial fraud, account takeover (ATO), and mass data breaches. Once in the hands of a hacker, shared secrets enable these bad actors to impersonate the legitimate user and abuse their rights as consumer or employee.
Example:
"Shared secrets come in many forms, but the most popular ones used every day are passwords, PINs, and credit card numbers. Even 2-factor codes are shared secrets."
The Problem with Passwords and Shared Secrets
Mishandling shared secrets, whether passwords, PINs, API keys, or even 2FA codes, is a major driver of account takeover, data breaches, and identity-based attacks. When a shared secret is compromised, attackers can impersonate legitimate users and gain unauthorized access to systems and data.
Secrets rotation is the practice of regularly updating shared credentials to reduce the risk of misuse. Automating this process helps limit exposure from compromised secrets and is a key component of secure credential hygiene. For more on how automated rotation works in practice, see Doppler’s secret rotation overview.
