Skip to main content

Generic password

Description#

General#

The generic password detector aims at catching any strings being assigned to a password variable.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.

Specifications#

First, the detector starts by identifying documents that contains the strings password, passwd or pwd and for which the filename is not indicating that the document is a test file or package file (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation steps.

More precisely, we refer to an assignment as any statement of the form assigned_variable assignment_token value, like for instance : my_password = "password123".

assigned_variable

  • Must contain the pwd, passwd, or password to be considered sensitive and therefore valid.

assignment_token

GitGuardian's secrets detection engine accepts a wide variety of assignment tokens that correspond to different types of assignments or different languages. Here is a non exhaustive list of valid assignment tokens : :, =, ||, =>, :=, <-.

value

  • Should not be in one of GitGuardian's common password or value banlist (see banlist hereunder).
  • Should not contain to a certain extent words from GitGuardian's dictionary banlist (see banlist hereunder).
  • Should not be a word from a specific banlist, usually to avoid placeholder for when password are checked such as Password is invalid in multiple languages or encrypted passwords.
  • Should not contain specific words around the value found such as example or version.

Revoke the secret#

This detector catches generic passwords, hence GitGuardian cannot infer the concerned service. To properly revoke the password :

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the secret.

Examples#

Examples that WILL be caught

- text: |    password = lol123ok!  password: lol123ok!
- text: |    pwd = lol123ok!  password: lol123ok!
- text: |    passwd : lol123ok!  password: lol123ok!

Examples that WILL NOT be caught

  • password is encrypted
- text: |    password = AESlol123ok!
  • A banlisted word is present in the context
- text: |    example pwd = lol123ok!

Details for Generic password#

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 1

  • Occurrences found for one million commits: 6204

  • Prefixed: False

  • PreValidators:

- type: CommonPasswordBanlistPostValidator- type: CommonValueBanlistPostValidator- type: HeuristicPostValidator  filters:    - hex_color    - heuristic_path    - number    - file_name    - url    - file_path- type: DictFilterPostValidator  threshold_words_pct_matched: 0.6- type: ValueBanlistPostValidator  patterns:    - mot    - invalide    - passwort    - ung    - new    - nil    - vous    - anv    - md4    - md5    - aes    - sha    - n/a    - \$\$[a-z]    - votre    - str    - "1234"    - "[0]{4}"    - "[1]{4}"    - utf-8    - watchtwoord    - nouveau    - nueva    - app    - tmp    - ^\$2[ayb]\$    - ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$    - "^[^a-z0-9]+$"    - field    - httpsession    - "`pwd`"    - ^base_url$    - process\.env    - ^[a-z]\.[a-z_.-]+$    - ^0x[0-9a-f]{8}    - ^user    - ^this\.    - salt    - ^[%+].+[%+]$    - ^\$[0-9]\$    - (?-i:^\$([a-z]+\.)+[a-z]+$)    - ^\$.*\$$    - (?-i:^[&*+][a-z_.-]+$)    - ^\*\*\*    - ^--    - ^\.\.    - ^\.\$    - ^var\.    - ^0x[a-z0-9]{5}    - ^!\$- type: ContextWindowBanlistPostValidator  patterns:    - timeout    - expire    - example    - error    - \&\#[0-9]    - version    - section    - geometry    - mismatch    - short    - length    - invalid    - long    - old    - change    - status    - forgot    - hash  window_width: 30- type: AssignmentBanlistPostValidator  patterns:    - ^(?-i:[a-zA-Z0-9]{1,5}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$