Generic password
#
Description#
GeneralThe generic password detector
aims at catching any strings being assigned to a password variable.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
#
SpecificationsFirst, the detector starts by identifying documents that contains the strings password
, passwd
or pwd
and for which the filename is not indicating that the document is a test file or package file (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation steps.
More precisely, an assignment is any statement of the form assigned_variable assignment_token value
, like for instance: my_password = "password123"
.
assigned_variable
- Must contain the
pwd
,passwd
, orpassword
to be considered sensitive and therefore valid.
assignment_token
GitGuardian's secrets detection engine accepts a wide variety of assignment tokens that correspond to different types of assignments or different languages. Here is a non exhaustive list of valid assignment tokens: :
, =
, ||
, =>
, :=
, <-
.
value
- Should not be in one of GitGuardian's common password or value banlist (see banlist hereunder).
- Should not contain to a certain extent words from GitGuardian's dictionary banlist (see banlist hereunder).
- Should not be a word from a specific banlist, usually to avoid placeholder for when password are checked such as
Password is invalid
in multiple languages or encrypted passwords. - Should not contain specific words around the value found such as
example
orversion
.
#
Revoke the secretThis detector catches generic passwords, hence GitGuardian cannot infer the concerned service. To properly revoke the password:
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the secret.
#
ExamplesExamples that WILL be caught
- text: | password = lol123ok! password: lol123ok!
- text: | pwd = lol123ok! password: lol123ok!
- text: | passwd : lol123ok! password: lol123ok!
Examples that WILL NOT be caught
- password is encrypted
- text: | password = AESlol123ok!
- A banlisted word is present in the context
- text: | example pwd = lol123ok!
Generic password
#
Details for High Recall: False
Validity Check: False
Minimum Number of Matches: 1
Occurrences found for one million commits: 6204
Prefixed: False
- type: CommonPasswordBanlistPostValidator- type: CommonValueBanlistPostValidator- type: HeuristicPostValidator filters: - hex_color - heuristic_path - number - file_name - url - file_path- type: DictFilterPostValidator threshold_words_pct_matched: 0.6- type: ValueBanlistPostValidator patterns: - mot - invalide - passwort - ung - new - nil - vous - anv - md4 - md5 - aes - sha - n/a - \$\$[a-z] - votre - str - "1234" - "[0]{4}" - "[1]{4}" - utf-8 - watchtwoord - nouveau - nueva - app - tmp - ^\$2[ayb]\$ - ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$ - "^[^a-z0-9]+$" - field - httpsession - "`pwd`" - ^base_url$ - process\.env - ^[a-z]\.[a-z_.-]+$ - ^0x[0-9a-f]{8} - ^user - ^this\. - salt - ^[%+].+[%+]$ - ^\$[0-9]\$ - (?-i:^\$([a-z]+\.)+[a-z]+$) - ^\$.*\$$ - (?-i:^[&*+][a-z_.-]+$) - ^\*\*\* - ^-- - ^\.\. - ^\.\$ - ^var\. - ^0x[a-z0-9]{5} - ^!\$- type: ContextWindowBanlistPostValidator patterns: - timeout - expire - example - error - \&\#[0-9] - version - section - geometry - mismatch - short - length - invalid - long - old - change - status - forgot - hash window_width: 30- type: AssignmentBanlistPostValidator patterns: - ^(?-i:[a-zA-Z0-9]{1,5}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$