Username Password
Description
General
The username password detector aims at catching any pair of username/password for which username is not an email .
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications
The two components of the couple that the detector catches are referred as username and password, and should be at a reasonable distance from each other inside a document to be flagged.
For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:
For both matches:
- Must be part of an assignment, namely of the form
{assigned_variable} {assignment_token} {value}, where{assigned_variable}is eitherusername,password, or other similar strings. - The username and password must not be the same.
username:
- The username must not be an email, nor composed of common words (see banlist hereunder). For couples using an email, see Company Email Password detector.
password:
- Set of rules to filter irrelevant passwords such as
passwordor when the password is an url, date, or file name (see banlist hereunder).
Revoke the secret
This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
Examples
Examples that WILL be caught
- text: |
username: totolao
password: AStrangeWith1Char
username: totolao
password: AStrangeWith1Char
Examples that WILL NOT be caught
- The username and the password are too far from each other.
- text: |
username=some.french
A very long text which increases
the distance between the matches.
Of course this text does not mean anything.
password=abuaoentsubaoeub24234$@3!
- The username is an email.
- text: |
username=whatever@gitguardian.com
pass=@StrongOneThisT1me
Details for Username password
High Recall: False
Validity Check: False
Minimum Number of Matches: 2
Occurrences found for one million commits: 473
Prefixed: False
- type: ContentWhitelistPreValidator
patterns:
- username
- type: ContentWhitelistPreValidator
patterns:
- password
- passwd
- type: BanMinifiedPreValidator
password:
- type: DictFilterPostValidator
threshold_words_pct_matched: 1.0
- type: ContextWindowBanlistPostValidator
patterns: ['error', 'invalid']
window_width: 40
window_type: 'left'
- type: AssignmentBanlistPostValidator
patterns:
- 'hash'
- 'salt'
- '^(?-i:[a-zA-Z0-9]{1,3}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$'
- type: CommonValueBanlistPostValidator
- type: CommonPasswordBanlistPostValidator
- type: ValueBanlistPostValidator
patterns:
- ^\$[A-Z]{3} # env var
- redacted
- ^local
- ^none
- ^null
- ^empty
- ^user
- pass
- ^root
- ^admin
- ^true
- ^false
- ^and
- ^prompt
- ^final$
- ^string$
- ^self
- ^email
- ^raw
- ^your
- ^new$
- ^temp$
- ^function$
- ^undefined$
- ^auth_email$
- ^false$
- ^request$
- test
- ^req$
- '1234'
- ^\$2a\$10\$ # BCrypt hash
- ^\$2a\$05\$
- ^\$2y\$13\$ # SHA-1
- ^\$2y\$10\$ # SHA-1
- ^#
- ^vault
- ^value$
- ^java
- ^ansible
- ^demo
- '123213123'
- ^guest
- ^visit$
- ^Coffee123$
- ^123bla456bla$
- value
- ^form
- ^request
- ^errors
- ^before
- ^wrong pass
- ^string
- ^await$
- ^foo
- ^change
- ^disabled
- ^required
- ^postgres
- ^django\.
- ^please
- ^validated
- '%s'
- ^cleaned
- \.string$
- ^wrong
- ^args\.
- ^bool(ean)?
- \/run\/
- ^url
- credentialsId
- field
- ^open
- callback
- validator
- placeholder
- anonymous
- class
- ^get
- phone
- swift
- type
- label
- attribute
- ^html
- ^open
- ^attr
- text
- nombre
- ^ask
- config
- input
- ^enter
- ^login
- ^token
- ^throw
- credential
- confirmer
- ^const
- ^new
- ^uid
- type$
- model$
- ^reg
- ^search
- nsstring
- candidate$
- form$
- expression
- ^share
- presence
- mysqli_real_escape
- onchange
- account
- base64
- email$
- create
- ^nil$
- removed
- mystring
- function
- ^-*$
- sha256
- '^[0-9]{1,3}.[0-9]{1,3}s'
- encrypted
- bcrypt
- object
- secure
- ^salt$
- ^emit$
- ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$
- ^[^a-z0-9]+$
- type: EntropyPostValidator
entropy: 1
username:
- type: DictFilterPostValidator
threshold_words_pct_matched: 1.0
- type: ContextWindowBanlistPostValidator
patterns: ['default', 'error', 'invalid']
window_width: 40
window_type: 'left'
- type: CommonValueBanlistPostValidator
- type: CommonUsernameBanlistPostValidator
- type: ValueBanlistPostValidator
patterns:
- '^none'
- '1234'
- ^null
- ^empty
- ^user
- pass
- ^root
- ^admin
- ^true
- ^false
- ^and
- ^self
- ^raw
- ^your
- test
- sample
- dummy
- value
- name
- email
- ^form
- ^\.?request
- ^before
- ^string
- ^await$
- ^this
- ^int
- ^replace
- ^foo
- ^change
- ^disabled
- ^required
- \.string$
- ^django\.
- ^please
- ^validated
- '%s'
- ^cleaned
- ^table\.
- ^driver\.
- ^args\.
- ^bool(ean)?
- ^url
- credentialsId
- field
- ^open
- callback
- validator
- placeholder
- anonymous
- class
- ^get
- phone
- swift
- type
- label
- attribute
- ^html
- ^open
- ^attr
- text
- nombre
- ^ask
- config
- input
- ^enter
- ^login
- ^token
- ^throw
- credential
- confirmer
- ^const
- ^new
- ^uid
- type$
- model$
- ^reg
- ^search
- nsstring
- candidate$
- form$
- expression
- ^share
- presence
- mysqli_real_escape
- onchange
- account
- base64
- email$
- create
- ^nil$
- removed
- mystring
- function
- ^local
- ^[_.-]
- '[_.-]$'
- ^void
- ^from
- ^char$
- ^usr$
- ^no-reply
- ^hash$
