Applications often must connect to one another, using a login IDs and password. For example, a web application might have to sign into a database server.

Traditionally, applications keep login IDs and passwords in plaintext, in source code or configuration files. This is insecure, as passwords are visible to anyone with rights to their filesystem or backup media.

Embedded passwords are also hard to change, since they have to be modified in at least two places.

• Privileged Password Manager can periodically randomize application passwords on back-end systems. Changes can be scheduled for slow hours (e.g., 3AM on Sunday mornings).
• An Privileged Password Manager SOAP API allows applications written in any programming language, running on any platform to fetch current password values.
• Applications must authenticate themselves to Privileged Password Manager when retrieving passwords. This is done using a one-time password (OTP), which changes after each successful authentication.
• Privileged Password Manager can also limit which IP address subnets applications may connect from. This acts as a second authentication factor -- i.e., ``what you know -- the OTP'' plus ``where you are -- the IP.''

Using Privileged Password Manager, static, embedded passwords are replaced with dynamic passwords, retrieved securely by applications when needed.