Skip to main content

Company email password

Description#

General#

The company email password detector aims at catching any pair of company email/password containing a sensitive email that could endanger a company's security.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.

Specifications#

The two components of the couple that the detector catches are referred as username and password, and should be at a reasonable distance from each other inside a document to be flagged.
This detector will only flag the closest couple of matches.

For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:

For both matches:

  • Must be an assigned value, namely of the form {assigned_variable} {assignment_token} {value}, where {assigned_variable} is either username, password, or other similar strings.

username:

  • The document must contain the string email or user (see whitelist hereunder).
  • Caught emails must be company related to be sensitive. Therefore, common personal email providers are banned such as gmail.com or non-sensitive aliases such as no_reply addresses (see banlist hereunder).

password:

  • The document must contain the string pass (see whitelist hereunder).
  • Set of rules to filter irrelevant passwords such as password or when the password is an url, date, or file name (see banlist hereunder).

Revoke the secret#

This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the credentials.

Examples#

Examples that WILL be caught

- text: |    email=some.french.name@gitguardian.com    password=abuaoentsubaoeub24234$@3!  username: some.french.name@gitguardian.com  password: abuaoentsubaoeub24234$@3!
- text: |    user=whatever@gitguardian.com    pass=th1slsth3b3stp@$$w0rdw3c0uidc@m3upwlth  username: whatever@gitguardian.com  password: th1slsth3b3stp@$$w0rdw3c0uidc@m3upwlth

Examples that WILL NOT be caught

  • The email address is not sensitive (gmail.com).
- text: |    email=some.french.name@gmail.com    password=abuaoentsubaoeub24234$@3!
  • The password is an url.
- text: |    user=whatever@gitguardian.com    pass=www.google.com

Details for Company email password#

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 2

  • Occurrences found for one million commits: 190

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions: ["gzip"]  banlist_filenames: ["(?i:fixture)", "(?i:test)", "(?i:seed)"]  check_binaries: False- type: ContentWhitelistPreValidator  patterns:    - email    - user- type: ContentWhitelistPreValidator  patterns:    - pass
password:  - type: CommonValueBanlistPostValidator  - type: CommonPasswordBanlistPostValidator  - type: ValueBanlistPostValidator    patterns:      - ^none      - ^null      - ^empty      - ^user      - pass      - senha # password in portuguese      - ^root      - ^admin      - ^true      - ^and      - ^prompt      - ^final$      - ^string$      - ^self      - ^email      - ^raw      - ^your      - ^new$      - ^temp$      - ^function$      - ^undefined$      - ^auth_email$      - ^false$      - ^request$      - test      - ^req$      - "1234"      - ^#      - ^vault      - ^value$      - ^java      - ^ansible      - ^demo      - "123213123"      - ^guest      - ^visit$      - ^coffee123$      - ^123bla456bla$      - ^description$      - '^\$(1|2|sha1|5|6|2(a|b|x|y))\$[0-9]{1,2}\$' # https://en.wikipedia.org/wiki/Bcrypt      - '^pbkdf2_sha256\$' # hashed password      - "^aqaaaaeaaccqaaaae" # hashed password      - ^DateTime$      - ^CompanyEmail$      - ^string      - ^equalTo$      - ^Content-Type$      - ^Role\.User$      - ^e\.target\.value$      - ^temp@123$      - \.find_element_by_css$      - ^process\.env\.      - ^get\-content$      - ^encodingutils\.sha256      - '\*{7}'      - ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$      - ^[^a-z0-9]+$  - type: EntropyPostValidator    entropy: 1  - type: HeuristicPostValidator    filters:      - url      - date      - file_name  - type: DictFilterPostValidator    threshold_words_pct_matched: 1  - type: ContextWindowBanlistPostValidator    patterns:      [        "passenger",        "pgadmin",        "mango",        "redis",        "postgres",        "hash",        "crypt",        "passed:",      ]    window_width: 25    window_type: "left"  - type: AssignmentBanlistPostValidator    patterns:      - ^(?-i:[a-zA-Z0-9]{1,3}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$      - salt
username:  - type: EmailDomainBanlistPostValidator    additionnal_banned_domains:      # non-exhaustive list of email provider and their domains      # google      - gmail.com      # microsoft      - outlook.com      - outlook.fr      - hotmail.fr      - hotmail.ca      - hotmail.de      - hotmail.gr      - hotmail.com      - hotmail.co.uk      - outlook.com.tr      - outlook.com.br      - live.fr      - live.in      - live.dk      - live.de      - live.cn      - live.com      - live.co.uk      - live.com.ar      - live.com.mx      - live.com.ar      - live.com.pt      - msn.com      # yahoo      - yahoo.com      - yahoo.fr      - yahoo.es      - yahoo.it      - yahoo.co.uk      - yahoo.co.jp      - yahoo.com.tw      - yahoo.com.br      - yahoo.com.hk      - ymail.com      - rocketmail.com        # chinese email provider      - qq.com      - 163.com      - 126.com      # apple      - me.com      - icloud.com      # yandex      - yandex.ru      - yandex.com      # GMX      - gmx.com      - gmx.fr      - gmx.us      - caramail.fr      - caramail.com      # disposable mail      - yopmail.com      - mailinator.com      # others      - orange.fr      - mail.com      - mail.ru      - naver.com      - aol.com      - protonmail.com      - foxmail.com      - chmail.ir      # test domain      - something.com      - abc.com      - pgadmin.org      - emailaccount.com      - person.com
  - type: CommonValueBanlistPostValidator  - type: ValueBanlistPostValidator    patterns:      - ^none      - ^null      - ^empty      - ^user      - ^pass      - ^root      - ^admin      - ^true      - ^and      - ^prompt      - '@\.*local'      - ^self      - ^email      - ^raw      - ^your      - ^random      - ^info      - ^bla      - ^support      - ^vault      - test      - sample      - dummy      - no[_.-]reply      - ghost      - abcdef      - noaddressemail      - noreply      - contact-email      - fake      - ^xxx      - ^wolf@thedoor.com$      - ^company@company.com$      - ^john@doe      - ^temp@temp      - ^google@google      - ^foo@      - ^ex[ae]mpl      - ^me@      - ^foo@bar      - ^abc@      - \.demo$      - \.abc$      - \.za$      - \.baz$      - \.nya$      - \.tld$