Secrets Management: I Mapped 76 .env Files of Sprawl (Simply Explained)
A plain-language guide to secrets management. No jargon, no tech speak, just what it means for your business.
By Mike Hodgen
The number that made me close my laptop
Last month I went looking through all the software projects I run. My DTC fashion brand, a dozen tools I built for myself, the experiments that never went anywhere.
I found 76 files holding passwords and access keys. Think of these as the digital house keys that let my software get into email accounts, payment systems, and databases.
Seventy-six files made me wince. But here's the thing: that number doesn't actually matter.
Why the file count is a distraction
Let me explain with a real-world version.
Imagine you own ten rental properties. You could have a thousand keys in a drawer, each one opening a single door. Or you could have ten keys, but every single key opens all ten properties.
The second setup sounds simpler. It's also a disaster waiting to happen. Lose one key, and a stranger walks into all ten houses.
That's the real question. Not "how many keys do I have," but "if I lose one key, how many doors does it open?"
I call this the blast radius. When one password leaks, how many separate businesses or systems blow up with it?
I didn't want to guess at my own answer. So I built a tool to measure it. These were all my own projects, no clients, which means I can show you the real numbers with nothing hidden.
Why this happens to everyone who moves fast
This isn't a discipline problem. It's just how things go when you're building quickly.
You start project number nine. It needs to send email. You already have a working email key sitting in project number three. So you copy it, paste it in, and move on. It works. You ship it.
Now multiply that across every key a project needs, and across every new project you start. The same key ends up scattered across a dozen places. Nobody decided to do this. It's just the easy path when there's no central drawer to grab fresh keys from.
There's a sneakier problem too. The same key shows up in different projects under different names.
In one place I called it EMAIL_KEY. In another, MAIL_API. In a third, something else entirely. Same key, three different labels.
So even if I carefully searched my own files for one name, I'd miss every copy hiding under a different name. The mess is invisible to the obvious tools. That's why most business owners genuinely don't know their number. They've never had a way to measure it.
I built a tool that counts the danger without ever revealing a single key
Here's the tricky part. You can't just print out a report listing all your passwords. A report full of your live keys is itself a leak.
So I built the tool to answer "which keys are shared" without ever showing what any key actually is.
The trick is fingerprinting. For every key the tool finds, it creates a unique fingerprint, like a smudge-proof stamp, and stores that instead of the real key. Two projects with the same fingerprint are using the same key. I learn they're linked without the tool ever knowing or showing the actual key.
This also solves the different-names problem. EMAIL_KEY and MAIL_API both produce the same fingerprint if they hold the same key. The naming chaos stops mattering.
Then it's just counting. For every shared key, the tool draws a map: exactly which projects go down if that one key leaks.
The tool took an afternoon to build. Most of that afternoon was making sure it never accidentally printed a real key, because one slip would defeat the whole point.
What I found
I ran it across all 76 files. Here's what came back.
I had keys showing up 1,147 times across those files. Buried in there were 70 keys that were shared across more than one project. Seventy cases where one leaked key takes down multiple systems.
Three of them genuinely scared me.
One email key lived in 14 separate projects. If that single key leaks, someone can send email pretending to be me from 14 different products. Fourteen businesses, one paste.
One AI key was shared across 7 projects. Less scary in terms of impersonation, but a leaked AI key racks up thousands of dollars in charges fast, all billing to the same compromised account.
And one live payments key was shared across 6 different businesses. This is the one that made me close the laptop and walk around the block. That's not test data. Leak it and six businesses' money is exposed in the same moment, through one key.
If you're reading this and quietly wondering whether your team has done the same thing, they almost certainly have. The only question is the number, and you haven't measured it yet.
The fix is two moves, and the order matters
Move one: put every key in a single, secure vault. Instead of 76 scattered files, the real keys live in one locked place. This stops the bleeding. It gets your keys out of plain files sitting on your computer.
But after move one, your keys are organized but still shared. That email key is still the same one in 14 projects. You've changed where it lives, not how far it reaches.
Move two is the part most people skip. Now you swap out each shared key for its own unique key, one per project. The 14 projects sharing one email key each get their own. Now if one leaks, the damage drops from 14 down to 1.
Do these in the wrong order and you make it worse. If you make new keys before you have a vault, you just scatter 14 new keys back into 14 files and recreate the exact mess you started with.
Move two is slow and unglamorous. There's no shiny dashboard at the end, just your risk quietly dropping. That's why most people stop after move one. They've organized the problem, not solved it.
The rule that keeps it from coming back
Cleaning up is pointless if you create the same mess again in six months. So here's the rule: every new project gets its own fresh key. It never borrows a copy.
When project number 15 needs email, it doesn't grab project number three's key. It gets a brand new one. A key that opens one door can only ever leak one door.
That habit of grabbing the key you already have is how all 70 of my shared keys happened. It's faster in the moment, and it's the entire source of the problem.
This is the work I do across a whole portfolio. Find the hidden risk, measure it precisely, then fix it in the right order so you stop the bleeding before you start the slow cleanup. The tool took an afternoon. It turned a vague worry into a clear list: here's your danger, here's what to fix first.
Want to explore what AI could do for your business?
Book a free 30-minute strategy call. No pitch deck, no sales team, just a real conversation about your operations and where AI fits.
Get AI insights for business leaders
Practical AI strategy from someone who built the systems — not just studied them. No spam, no fluff.
Ready to automate your growth?
Book a free 30-minute strategy call with Hodgen.AI.
Book a Strategy Call