chpasswd Username Password
Description
General
This detector is equivalent to the Username Password detector except that it aims at catching only credentials passed to the chpasswd command.
Specifications
For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:
For both matches:
- The username and password must not be the same.
password:
- Set of rules to filter irrelevant passwords such as
password(see banlist hereunder). - Have a Shannon entropy of at least 2
Revoke the secret
This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
Examples
Examples that WILL be caught
- text: |
echo "user:Oc9RjXAsCG" | chpasswd
username: user
password: Oc9RjXAsCG
- text: |
echo "user:K40ibiMl+ng" | sudo chpasswd
username: user
password: K40ibiMl+ng
Examples that WILL NOT be caught
- The password is an environment variable
- text: |
echo "user:$MY_PASS" | chpasswd
username: user
password: $MY_PASS
- The username and password are the same, and the password is a common value.
- text: |
echo "root:root" | chpasswd
username: root
password: root
- The password is a common value.
- text: |
echo "user:123456" | chpasswd
username: user
password: 123456
Details for chpasswd Username password
High Recall: False
Validity Check: False
Minimum Number of Matches: 2
Occurrences found for one million commits: 18.4
Prefixed: False
- type: ContentWhitelistPreValidator
patterns:
- chpasswd
password:
- type: CommonPasswordBanlistPostValidator
- type: ValueBanlistPostValidator
patterns:
- ^\$[a-zA-Z0-9_]+$
- ^1234
- ^your
- ^test
- type: EntropyPostValidator
entropy: 2
