Almost every breach you read about in the news involves credentials. Sometimes it's passwords pulled out of a database that hashed them badly. Sometimes it's an API key committed to a public GitHub repo. Sometimes it's a session token stolen from a JavaScript variable because somebody stored it in localStorage . More recently, it's an API key left public in a vibe-coded app. The technical details vary; the underlying problem is usually the same. Someone treated a secret like ordinary data and stored it the way they would store anything else. This guide covers what counts as a credential, the small number of things you actually need to do to handle each kind correctly, and the mistakes that show up over and over in real applications. The three kinds of credentials The first thing to internalize is that "credential" isn't one thing. There are at least three categories, and they need to be handled differently: User credentials. What your users give you to prove who they are — passwords, primarily.…