Skip to main content

Username Password

Description#

General#

The username password detector aims at catching any pair of username/password for which username is not an email .

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.

Specifications#

The two components of the couple that the detector catches are referred as username and password, and should be at a reasonable distance from each other inside a document to be flagged.

For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:

For both matches:

  • Must be part of an assignment, namely of the form {assigned_variable} {assignment_token} {value}, where {assigned_variable} is either username, password, or other similar strings.
  • The username and password must not be the same.

username:

password:

  • Set of rules to filter irrelevant passwords such as password or when the password is an url, date, or file name (see banlist hereunder).

Revoke the secret#

This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the credentials.

Examples#

Examples that WILL be caught

- text: |    username: totolao    password: AStrangeWith1Char
  username: totolao  password: AStrangeWith1Char

Examples that WILL NOT be caught

  • The username and the password are too far from each other.
- text: |    username=some.french    A very long text which increases    the distance between the matches.    Of course this text does not mean anything.    password=abuaoentsubaoeub24234$@3!
  • The username is an email.
- text: |    username=whatever@gitguardian.com    pass=@StrongOneThisT1me

Details for Username password#

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 2

  • Occurrences found for one million commits: 473

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidatorpatterns:  - username- type: ContentWhitelistPreValidatorpatterns:  - password  - passwd- type: BanMinifiedPreValidator
password:  - type: DictFilterPostValidator    threshold_words_pct_matched: 1.0  - type: ContextWindowBanlistPostValidator    patterns: ["error", "invalid"]    window_width: 40    window_type: "left"  - type: AssignmentBanlistPostValidator    patterns:      - "hash"      - "salt"      - "^(?-i:[a-zA-Z0-9]{1,3}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$"  - type: CommonValueBanlistPostValidator  - type: CommonPasswordBanlistPostValidator  - type: ValueBanlistPostValidator    patterns:      - ^\$[A-Z]{3} # env var      - redacted      - ^local      - ^none      - ^null      - ^empty      - ^user      - pass      - ^root      - ^admin      - ^true      - ^false      - ^and      - ^prompt      - ^final$      - ^string$      - ^self      - ^email      - ^raw      - ^your      - ^new$      - ^temp$      - ^function$      - ^undefined$      - ^auth_email$      - ^false$      - ^request$      - test      - ^req$      - "1234"      - ^\$2a\$10\$ # BCrypt hash      - ^\$2a\$05\$      - ^\$2y\$13\$ # SHA-1      - ^\$2y\$10\$ # SHA-1      - ^#      - ^vault      - ^value$      - ^java      - ^ansible      - ^demo      - "123213123"      - ^guest      - ^visit$      - ^Coffee123$      - ^123bla456bla$      - value      - ^form      - ^request      - ^errors      - ^before      - ^wrong pass      - ^string      - ^await$      - ^foo      - ^change      - ^disabled      - ^required      - ^postgres      - ^django\.      - ^please      - ^validated      - "%s"      - ^cleaned      - \.string$      - ^wrong      - ^args\.      - ^bool(ean)?      - \/run\/      - ^url      - credentialsId      - field      - ^open      - callback      - validator      - placeholder      - anonymous      - class      - ^get      - phone      - swift      - type      - label      - attribute      - ^html      - ^open      - ^attr      - text      - nombre      - ^ask      - config      - input      - ^enter      - ^login      - ^token      - ^throw      - credential      - confirmer      - ^const      - ^new      - ^uid      - type$      - model$      - ^reg      - ^search      - nsstring      - candidate$      - form$      - expression      - ^share      - presence      - mysqli_real_escape      - onchange      - account      - base64      - email$      - create      - ^nil$      - removed      - mystring      - function      - ^-*$      - sha256      - "^[0-9]{1,3}.[0-9]{1,3}s"      - encrypted      - bcrypt      - object      - secure      - ^salt$      - ^emit$      - ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$      - ^[^a-z0-9]+$  - type: EntropyPostValidator    entropy: 1
username:  - type: DictFilterPostValidator    threshold_words_pct_matched: 1.0  - type: ContextWindowBanlistPostValidator    patterns: ["default", "error", "invalid"]    window_width: 40    window_type: "left"  - type: CommonValueBanlistPostValidator  - type: CommonUsernameBanlistPostValidator  - type: ValueBanlistPostValidator    patterns:      - "^none"      - "1234"      - ^null      - ^empty      - ^user      - pass      - ^root      - ^admin      - ^true      - ^false      - ^and      - ^self      - ^raw      - ^your      - test      - sample      - dummy      - value      - name      - email      - ^form      - ^\.?request      - ^before      - ^string      - ^await$      - ^this      - ^int      - ^replace      - ^foo      - ^change      - ^disabled      - ^required      - \.string$      - ^django\.      - ^please      - ^validated      - "%s"      - ^cleaned      - ^table\.      - ^driver\.      - ^args\.      - ^bool(ean)?      - ^url      - credentialsId      - field      - ^open      - callback      - validator      - placeholder      - anonymous      - class      - ^get      - phone      - swift      - type      - label      - attribute      - ^html      - ^open      - ^attr      - text      - nombre      - ^ask      - config      - input      - ^enter      - ^login      - ^token      - ^throw      - credential      - confirmer      - ^const      - ^new      - ^uid      - type$      - model$      - ^reg      - ^search      - nsstring      - candidate$      - form$      - expression      - ^share      - presence      - mysqli_real_escape      - onchange      - account      - base64      - email$      - create      - ^nil$      - removed      - mystring      - function      - ^local      - ^[_.-]      - "[_.-]$"      - ^void      - ^from      - ^char$      - ^usr$      - ^no-reply      - ^hash$