Pattern: Use of hard-coded password strings
Issue: -
The use of hard-coded passwords increases the possibility of password guessing tremendously. This rule looks for all string literals and checks the following conditions:
- assigned to a variable that looks like a password
- assigned to a dict key that looks like a password
- used in a comparison with a variable that looks like a password
Variables are considered to look like a password if they have match any one of:
password
pass
passwd
pwd
secret
token
secrete
Note: this can be noisy and may generate false positives.
Example of insecure code:
if password == "root":
print("OK, logged in")