Username Password
Description#
General#
The username password detector aims at catching any pair of username/password for which username is not an email .
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications#
The two components of the couple that the detector catches are referred as username and password, and should be at a reasonable distance from each other inside a document to be flagged.
For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:
For both matches:
- Must be part of an assignment, namely of the form
{assigned_variable} {assignment_token} {value}, where{assigned_variable}is eitherusername,password, or other similar strings. - The username and password must not be the same.
username:
- The username must not be an email, nor composed of common words (see banlist hereunder). For couples using an email, see Company Email Password detector.
password:
- Set of rules to filter irrelevant passwords such as
passwordor when the password is an url, date, or file name (see banlist hereunder).
Revoke the secret#
This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
Examples#
Examples that WILL be caught
- text: | username: totolao password: AStrangeWith1Char
username: totolao password: AStrangeWith1CharExamples that WILL NOT be caught
- The username and the password are too far from each other.
- text: | username=some.french A very long text which increases the distance between the matches. Of course this text does not mean anything. password=abuaoentsubaoeub24234$@3!- The username is an email.
- text: | username=whatever@gitguardian.com pass=@StrongOneThisT1meDetails for Username password#
High Recall: False
Validity Check: False
Minimum Number of Matches: 2
Occurrences found for one million commits: 473
Prefixed: False
- type: ContentWhitelistPreValidatorpatterns: - username- type: ContentWhitelistPreValidatorpatterns: - password - passwd- type: BanMinifiedPreValidatorpassword: - type: DictFilterPostValidator threshold_words_pct_matched: 1.0 - type: ContextWindowBanlistPostValidator patterns: ["error", "invalid"] window_width: 40 window_type: "left" - type: AssignmentBanlistPostValidator patterns: - "hash" - "salt" - "^(?-i:[a-zA-Z0-9]{1,3}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$" - type: CommonValueBanlistPostValidator - type: CommonPasswordBanlistPostValidator - type: ValueBanlistPostValidator patterns: - ^\$[A-Z]{3} # env var - redacted - ^local - ^none - ^null - ^empty - ^user - pass - ^root - ^admin - ^true - ^false - ^and - ^prompt - ^final$ - ^string$ - ^self - ^email - ^raw - ^your - ^new$ - ^temp$ - ^function$ - ^undefined$ - ^auth_email$ - ^false$ - ^request$ - test - ^req$ - "1234" - ^\$2a\$10\$ # BCrypt hash - ^\$2a\$05\$ - ^\$2y\$13\$ # SHA-1 - ^\$2y\$10\$ # SHA-1 - ^# - ^vault - ^value$ - ^java - ^ansible - ^demo - "123213123" - ^guest - ^visit$ - ^Coffee123$ - ^123bla456bla$ - value - ^form - ^request - ^errors - ^before - ^wrong pass - ^string - ^await$ - ^foo - ^change - ^disabled - ^required - ^postgres - ^django\. - ^please - ^validated - "%s" - ^cleaned - \.string$ - ^wrong - ^args\. - ^bool(ean)? - \/run\/ - ^url - credentialsId - field - ^open - callback - validator - placeholder - anonymous - class - ^get - phone - swift - type - label - attribute - ^html - ^open - ^attr - text - nombre - ^ask - config - input - ^enter - ^login - ^token - ^throw - credential - confirmer - ^const - ^new - ^uid - type$ - model$ - ^reg - ^search - nsstring - candidate$ - form$ - expression - ^share - presence - mysqli_real_escape - onchange - account - base64 - email$ - create - ^nil$ - removed - mystring - function - ^-*$ - sha256 - "^[0-9]{1,3}.[0-9]{1,3}s" - encrypted - bcrypt - object - secure - ^salt$ - ^emit$ - ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$ - ^[^a-z0-9]+$ - type: EntropyPostValidator entropy: 1
username: - type: DictFilterPostValidator threshold_words_pct_matched: 1.0 - type: ContextWindowBanlistPostValidator patterns: ["default", "error", "invalid"] window_width: 40 window_type: "left" - type: CommonValueBanlistPostValidator - type: CommonUsernameBanlistPostValidator - type: ValueBanlistPostValidator patterns: - "^none" - "1234" - ^null - ^empty - ^user - pass - ^root - ^admin - ^true - ^false - ^and - ^self - ^raw - ^your - test - sample - dummy - value - name - email - ^form - ^\.?request - ^before - ^string - ^await$ - ^this - ^int - ^replace - ^foo - ^change - ^disabled - ^required - \.string$ - ^django\. - ^please - ^validated - "%s" - ^cleaned - ^table\. - ^driver\. - ^args\. - ^bool(ean)? - ^url - credentialsId - field - ^open - callback - validator - placeholder - anonymous - class - ^get - phone - swift - type - label - attribute - ^html - ^open - ^attr - text - nombre - ^ask - config - input - ^enter - ^login - ^token - ^throw - credential - confirmer - ^const - ^new - ^uid - type$ - model$ - ^reg - ^search - nsstring - candidate$ - form$ - expression - ^share - presence - mysqli_real_escape - onchange - account - base64 - email$ - create - ^nil$ - removed - mystring - function - ^local - ^[_.-] - "[_.-]$" - ^void - ^from - ^char$ - ^usr$ - ^no-reply - ^hash$