[nunez]

It's driven by all of those things. It's a very old problem.

On a personal level, I like secrets managers (password managers) because I can create credentials on the fly and never have to remember about worrying things.

Before secrets managers, administrators following best-practices would store secrets (like passwords) in a secure database with restricted access and strict access control. (Less steadfast admins either shared common passwords, shared passwords through communication mediums like Lync or AIM, or relied on Excel spreadsheets.)

Rotating passwords required lots of coordination amongst teams; consequently, rotations often weren't done or, if they were, they were done significantly less frequently than they should have been.

Lots and lots of data breaches in the past were due to bad/old passwords that got leaked, either from someone gaining access to systems or from rogue (usually ex-) employees sharing secrets around.

Secrets managers solve for this by providing highly-distributed and secure databases for storing secrets along with robust authentication/authorization/access control and, most importantly, client APIs for accessing secrets securely. It is significantly cheaper to buy a secrets manager and getting employees to use it than it is to suffer fines from a data breach.

[aprdm]

This is a good post. As usual it's a question of trade offs. Hashicorp can be quite pricey for a managed vault instance if you have a decent site and salaries for engineers to maintain an on prems vault can also be pricey.

Depending on the data, security requirements, legislation, your business and whatnot you can make some trade offs and see if you really need it.

If you have a monolithic Django App with < 15 devs not serving critical security content chances are you don't need it.