What Is A Credential?
A credential is anything that proves to a system that you are who you claim to be, and there are far more of them than users directly see. The most familiar are passwords, but a password is often not even the most useful thing to steal. Passwords are frequently held as hashes - the NTLM hashes Windows keeps, the hashes in an application's user database - and a hash can sometimes be used directly, without ever being cracked back into a password. Kerberos tickets act as credentials inside a Windows network and can be captured and reused. And increasingly, the credentials attackers most want are the artefacts a system issues after you have already authenticated: the session cookie that represents your logged-in session in a web application, the OAuth access and refresh tokens that authorise an API call, the JSON Web Tokens that carry identity between services, the long-lived API keys and personal access tokens that automate access, and the private keys and certificates that authenticate machines. The reason this matters is simple and uncomfortable: these post-authentication credentials usually bypass multi-factor authentication entirely. An attacker who steals your live session cookie does not need your password, and does not need to pass the multi-factor check you already passed - the application simply sees them as you, for as long as that session lasts. We begin by establishing which of these credential types your systems actually rely on, because each is stolen, and defended, differently.