Zombie Credential: A Security And Operations Nightmare

Hello there!

Do you like zombie movies? These are horror films where zombies mindlessly attack the living. If you didn’t know about them you may ask - what are zombies?

In popular culture, a zombie is someone who is technically present but no longer truly alive. The word has its roots in African folklore.

It seems to have captured the human imagination because the word is used across several distinct contexts. For example, it is also used to describe an exhausted, dazed person who lacks energy, walks around as if unconscious.

There are many other usages of the word and, in the world of technology and business, there is a far more dangerous variation: Zombie Credential.

A Zombie Credential is an active login credential (username/password, API key, token, etc.) that remains active and valid in a system even though it's no longer needed or actively used. Like a zombie, they are neither properly alive (in active use) nor properly dead (revoked). That in-between state is exactly what makes them a security risk.

Here's an example: An employee left the company. HR processed the exit but the physical security team didn’t get the memo. The ex-employee’s keycard remains completely active.

Why are these credentials dangerous?

Because they sit quietly for months or years. Until one day, they wake up.

If a bad actor gets their hands on an unrevoked badge, they don't need to break a window or hack a firewall. They can just walk right through the front door at 2:00 AM, swipe the zombie card, and the system will happily log it as a routine visit from an ex-employee.

A regular, living intruder is bad enough. But an intruder disguised as a ghost? That’s both a security issue and an operational nightmare. For humans, of course. There are no pigeon zombies.