Which credential storage and rotation practice aligns with security best practices?

Storing credentials in a dedicated vault or a cloud-based key management service with encryption at rest and rotating on a schedule embodies prudent secret management. Using a vault or KMS centralizes control, enforces strict access policies, and keeps sensitive data encrypted even when stored. Regular rotation reduces the risk window if a credential is exposed or leaked, so compromise doesn’t grant ongoing access. Automated rotation also minimizes human error and supports auditing and revocation, which helps with accountability and compliance. Storing secrets in plaintext bypasses encryption protections, making any access to storage an immediate risk. Rotating only after a compromise leaves credentials vulnerable for an unknown period, giving attackers a window to act. Sharing credentials across a team eliminates isolation, makes revocation and auditing difficult, and increases the potential impact of misuse.