Generic password

Description

General

The generic password detector aims at catching any strings being assigned to a password variable.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.

Specifications

First, the detector starts by identifying documents that contains the strings pass or pwd and for which the filename is not indicating that the document is a test file or package file (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation steps.

More precisely, we refer to an assignment as any statement of the form assigned_variable assignment_token value, like for instance : my_password = "password123".

assigned_variable

  • Must contain the pwd, passwd, or password to be considered sensitive and therefore valid.

value

  • Should not be in one of Gitguardian's common password or value banlist (see banlist hereunder).
  • Should not contain to a certain extent words from GitGuardian's dictionary banlist (see banlist hereunder).
  • Should not be a word from a specific banlist, usually to avoid placeholder for when password are checked such as Password is invalid in multiple languages or encrypted passwords.
  • Should not contain specific words around the value found such as example or version.

Revoke the secret

This detector catches generic passwords, hence GitGuardian cannot infer the concerned service. To properly revoke the password :

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the secret.

Examples

Examples that WILL be catched

- text: |
password = lol123ok!
password: lol123ok!
- text: |
pwd = lol123ok!
password: lol123ok!
- text: |
passwd = lol123ok!
password: lol123ok!

Examples that WILL NOT be catched

  • password is encrypted
- text: |
password = AESlol123ok!
  • A banlisted word is present in the context
- text: |
example pwd = lol123ok!

Details for Generic password

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 1

  • Occurrences found for one million commits: 14535

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_filenames:
- testadd
- composer
- Cargo
- package
- package-lock
check_binaries: False
- type: ContentWhitelistPreValidator
patterns:
- password
- passwd
- pwd
- type: CommonPasswordBanlistPostValidator
- type: CommonValueBanlistPostValidator
- type: DictFilterPostValidator
- type: ValueBanlistPostValidator
patterns:
- mot
- invalide
- passwort
- ung
- new
- nil
- vous
- anv
- md4
- md5
- aes
- sha
- n/a
- \$\$[a-z]
- votre
- str
- "1234"
- "[0]{4}"
- "[1]{4}"
- utf-8
- watchtwoord
- nouveau
- nueva
- app
- tmp
- type: ContextWindowBanlistPostValidator
patterns:
- timeout
- expire
- example
- error
- \&\#[0-9]
- version
- section
- geometry
- mismatch
- short
- length
- invalid
- long
- old
- change
- status
- forgot
- hash
window_width: 30